DPC (Ireland) - 06/SIU/2018
DPC - 06/SIU/2018 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(a) GDPR Article 24 GDPR Article 35(1) GDPR Law Enforcement Directive 2016/680 Irish Data Protection Act |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 22.08.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 06/SIU/2018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | co |
During an own volition inquiry into processing activities carried out by the Galway County Council, the DPC found violations of Article 5(1)(a) GDPR, Article 24 GDPR and Article 35(1) GDPR.
English Summary
Facts
The Irish DPC started an own volition inquiry into processing operations carried out by the Galway County Council (the controller), focusing mainly into the surveillance technologies deployed by state authorities, including the Galway County Council and by the An Garda Síochána (the Irish police).
More specifically, the Galway County Council Officials make use of CCTV systems, body-worn cameras and automated number plate recognition (ANPR) technologies for various purposes including law enforcement purposes. The DPC carried out its assessment both on the basis of the GDPR and of the Law Enforcement Directive (LED) for activities meant to prevent, investigate, detect and prosecute crime or for the execution of criminal penalties.
Holding
In its inquiry, the DPC assessed the legitimacy of processing activities by the controller in light of both the GDPR and the Irish Data Protection Act and the LED, as different processing activities pursued different purposes. The DPC held with respect to body-worn cameras and ANPR systems that the GDPR applies to these processing activities as they mainly serve health and safety and traffic management purposes respectively, thus no law enforcement purposes. Making reference to the strict interpretation in CJEU jurisprudence, the DPC held that in order for a processing activity to fall under the scope of the LED, it must be specifically and concretely used for law enforcement purposes and it does not suffice that the data could potentially (emphasis added) be processed for law enforcement purposes.
Firstly, as regards ANPR cameras used for traffic management, the DPC held that the latter enable identification of data subjects within the vehicle and thus constitutes processing of personal data. The legal basis referred to by the Council is Article 6(1)(e) GDPR. The DPC held that processing ex Article 6(1)(e) GDPR, read in light of Article 6(3) GDPR and Recital 41 GDPR requires a legal basis to set out the conditions for processing clearly, precisely and in a foreseeable way. In this case, the DPC held that the use of ANPR cameras does aid to the traffic management function of officials but it may also have significant impacts on the rights and freedoms of data subjects. The DPC concluded that the national provisions relied on by the controller to make use of such cameras are too broad and cannot constitute a legal basis for the Council to deploy APNR cameras for traffic management purposes. Hence, the DPC found the Council had acted in violation of Article 5(1)(a) GDPR.
In addition to this, the DPC considered whether the controller complied with its Article 24(1) GDPR obligation to adopt appropriate technical and organizational measures to ensure and demonstrate GDPR-compliant processing activities, also by means of a data protection policy as per Article 24(2) GDPR. The DPC held that the controller failed to comply with its obligation under Article 24(1) GDPR with respect to the use of ANPR cameras for traffic management purposes as it failed to demonstrate compliance with the GDPR.
Further, the DPC also found the controller had failed to comply with its obligation to carry out a Data Protection Impact Assessment by virtue of Article 35(1) GDPR for the use of APNR cameras for the systematic monitoring, tracking and observing of individuals.
Secondly, the DPC considered the use of a body-worn camera by a Housing Tenacy Officer who had been threatened while conducting official activities. The legal basis relied upon by the Council in this case was Article 6(1)(d) GDPR, which allows for processing activities that are necessary to protect the vital interest of an individual. Further the Council also relied on Article 6(1)(e) GDPR as it is required to comply with health and safety obligations towards its employees set out in two specific Acts. As regards the use of body-worn cameras on the basis of Article 6(1)(d) GDPR, the DPC held that the controller failed to carry out a test for proving the necessity of the use of such cameras before their actual use. Hence, the controller failed to prove that such measure was necessary to protect the vital interest of the officer or to perform a task in the public interest. As for the use of such cameras on the basis of Article 6(1)(e) GDPR, the DPC held that again the controller did not rely on a clear, precise and foreseeable provision in the law allowing specifically for the body-worn cameras to be used. In this case too, the DPC held that the Council had infringed Article 5(1)(a) GDPR.
Lastly, the DPC held that the controller infringed Article 24(1) GDPR to the extent that it failed to raise staff awareness on the principles of data processing, which counts as an organizational measure to be adopted by the controller under Article 24(1) GDPR.
With respect to all the above mentioned violations, the DPC decided to adopt the following corrective powers: it provisionally banned the use of body-worn cameras and APNR cameras until a valid legal basis is identified and issued a reprimand concerning the violation of Article 24 GDPR.
The rest of the activities carried out by the Galway County Council were assessed in light of the provisions of the LED, and the DPC found several violations in that respect too.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Inquiry into Galway County Council - August 2023 Date of Decision: 22 August 2023 This inquiry sought to assess whether Galway County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras in public places used for the purposes of prosecuting crime or other purposes. The findings made in the decision include: Findings that Galway County Council lacked a valid legal basis for processing of personal data from CCTV, ANPR and body-worn cameras. Findings that Galway County Council failed to erect appropriately worded and located signage in respect of the processing of personal data collected via these CCTV cameras for purposes related to law enforcement. The other findings in the decision include infringements relating to Galway County Council’s obligations to carry out data protection impact assessments, to maintain data logs for specific accesses to CCTV recordings, and to implement appropriate technical and organisational measures. Corrective Powers Exercised: A temporary ban on the processing of personal data through CCTV cameras and ANPR cameras at a number of locations until a valid legal basis can be identified. A temporary ban on the processing of personal data through body-worn cameras until a valid legal basis can be identified. An order to Galway County Council to bring its processing of personal data into compliance taking certain actions specified in the decision. A reprimand in respect of Galway County Council’s infringement of Article 24 GDPR. For more information, you can download the full decision at this link: Inquiry into Galway County Council - August 2023 (PDF, 2.6mb).