With video surveillance becoming less expensive and more widely available, our images are increasingly recorded. But things are not as Orwellian as they seem. Even before drones, dashcams or video doorbells became everyday items, regulators established requirements for video surveillance. How long an entity can retain images depends on several things, including the areas the cameras cover, the type of business capturing the image, and the events captured.
Most international video surveillance requirements are not found in regulations, directives, or statutes. Rather, these requirements are frequently governed by data protection authorities through guidelines, decisions, or standards. But don’t let these titles fool you about their enforceability. Data protection authorities view these guidelines at the very least as best practices, and EU member states reference them when sanctioning and fining an entity for non-compliance.
Video Surveillance Coverage: Areas and Businesses
Generally, businesses using video surveillance are required to inform the public they are under video surveillance, in line with many data protection laws which mandate data subjects be informed their data is being processed. The EU Data Protection Supervisor states these notices “are mandatory because individuals affected by video surveillance must be informed upon its installation about the monitoring, its purpose, and the length of time for which the footage is to be kept and by whom.”[1]
Video surveillance requirements also force businesses to limit surveillance to areas like parking lots, building entrances, or streets. This does not mean surveillance cameras can cover wide swaths of these areas. Businesses are further limited to recording those areas of parking lots or building access or emergency exits that justify the protection of individuals and property.
Certain businesses are required to use video surveillance, such as banks, casinos, ATMs, and other financially-related businesses. Legal requirements also note that certain areas never justify video surveillance, like bathrooms, changing rooms, and pools. These areas are considered inherently private, and legal requirements recognize that data subjects deserve a heightened level of legal protection from video surveillance.
Incident Versus Non-Incident
In the legal realm, there are two main types of surveillance that regulators are looking at: incident and non-incident camera footage. Whether footage captures evidence of an incident will determine the retention period for that section. Most recordkeeping requirements set a minimum amount of time records must be retained. Recordkeeping requirements for video surveillance, however, typically set a maximum amount of time these images can be kept. Incident-capturing footage requirements follow this same method but may allow for slightly longer retention periods. For example, Greece doubles the amount of time businesses may keep video surveillance images following an incident. Generally, where surveillance footage does not contain images of an incident, the maximum amount of time this footage can be retained may be a few months, weeks, days, or hours.[2]
EU member states have some of the strictest requirements when it comes to video surveillance. For example, under Austrian law, images may be retained no longer than 72 hours.[3] In Germany, this period is 48 hours.[4] And in Italy, video surveillance must not be retained longer than 24 hours.[5] Complying with these limitations can prove difficult when an entity does not frequently check its surveillance footage, such as over a weekend or a holiday. Accordingly, regulators acknowledge that these retention periods may require some flexibility. Some regulators also permit for a longer retention period when parties consent through written agreements.[6]
Most legal requirements allow for longer retention when images are necessary for court proceedings or criminal investigations. However, investigating a crime or incident does not give an entity carte blanche to retain images indefinitely.[7] Typically, legal requirements require destruction within a few months, weeks, or days of the conclusion of an investigation or related proceedings.
Legal Requirements Versus System Capabilities
Video surveillance is one area where the law and technology play leapfrog. Sometimes the legal requirements are ahead of their time; sometimes technology is cutting edge. As noted, some European jurisdictions allow video surveillance retention for only hours or days. Not all video surveillance systems are created equal, and some systems do not have the capability to automatically erase footage every 24 hours. When this is the case, entities must be careful to note their surveillance footage retention periods in their notices and policies.
Conclusion
Whether you are a privacy-minded individual concerned about your image being captured through video surveillance or a business concerned about legal repercussions from your video surveillance practices, data protection authorities and regulators have provided guidelines on what your rights are. To learn more about how video surveillance may affect your business, contact Zasio today.
[1] European Data Protection Supervisor, Video Surveillance, “What are the main data protection issues?”
[2] EDPB Guidelines 3/2019 on processing of personal data through video devices (8)(119).
[3] Ordinance of the data protection authority on the exemptions from the data protection impact assessment.
[4] Short Paper on Video surveillance according to the General Data Protection Regulation.
[5] Video Surveillance Decision 2010.
[6] Ordinance of the data protection authority on the exemptions from the data protection impact assessment.
[7] EDPS Guidelines on video-surveillance (7.1.1).
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.