Camera surveillance – new rules in Sweden (EN)
The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 3/2019 on processing of personal data through video devices (the “Guidelines”). The Guidelines provide guidance on how to apply the General Data Protection Regulation (the “GDPR”) in the event that personal data is processed due to video surveillance.
The Guidelines are the result of the EDPB’s increased focus on the large amount of personal data contained in video recordings and the potential of abuse, as well as the privacy risks with face recognition technology and the processing of biometric data. The Guidelines initially acknowledge that individuals may be comfortable with video surveillance set up for certain purposes, e.g. security. However, the EDPB highlights that (i) guarantees must be taken to avoid any misuse of surveillance for entirely different and unexpected purposes and (ii) the general principles in GDPR Article 5 (e.g. transparency, data minimization and retention) should always be carefully considered with regards to video surveillance. Further, in addition to privacy issues, data controllers should be aware of and take precautions against the risks of malfunction of surveillance devices and the biases they may induce. The EDPB also emphasises that video surveillance will not be considered as “necessary” (when establishing a lawful basis) where there are other means of achieving the underlying purpose.
As of August 2018, a new camera surveillance legislation applies in Sweden. Unlike the prior legislation, private companies, which do not perform a duty of public interest, no longer need a camera surveillance permit. The rules of GDPR are considered sufficient to ensure that the processing of personal data does not violate an individual's personal integrity. Hence, private companies do not need permission, but must instead make sure that they meet the requirements of the GDPR. This implies that Swedish companies, and other companies that conduct most of their processing of personal data in Sweden, are dependent on adequate guidelines from the EDPB in relation to the interpretation of the GDPR.
Currently, the Guidelines provide impractical guidance in relation to the legitimate interest and video surveillance for security purposes, despite extensive criticism during its referral. The guideline proposal was criticised for being too strict and impractical, e.g. it stated that a shopkeeper must first be subject to a robbery and then carefully document this and/or present statistics on crime in the area in order to have the right to introduce video surveillance in the store. The EDPB does not appear to have addressed the criticism to any extent, since the changes that have taken place after the draft proposal are mainly editorial.
Furthermore, consent is mentioned as a legal basis in the EDPB Guidelines. It seems unlikely that data controllers using video surveillance systems would collect the consent of data subjects before the processing of personal data initiates. Thus, consent as a legal basis would most likely only be used in exceptional cases.
In essence, the Guidelines requires that comprehensive information is provided to data subjects in relation to the surveillance. This requirement goes beyond current Swedish legislation and best practice in Sweden. Further, the Guidelines clarify and provide specific examples of what aspects that require consideration when applying video surveillance. However, some parts of the Guidelines are impractical and strict and may be difficult for companies to comply with. We recommend that companies using camera surveillance to review its policies and information to data subjects in order to verify compliance.