DPC (Ireland) - 05/SIU/2018

From GDPRhub
DPC - 05/SIU/2018
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 2 GDPR
Article 5 GDPR
Article 6 GDPR
Article 13 GDPR
Article 26 GDPR
Article 32 GDPR
Article 58 GDPR
Article 83 GDPR
Law Enforcement Directive 2016/680
Irish Data Protection Act 2018
Irish Roads Act 1993
Type: Investigation
Outcome: Violation Found
Started:
Decided: 16.01.2023
Published: 03.03.2023
Fine: 50000 EUR
Parties: n/a
National Case Number/Name: 05/SIU/2018
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Irish DPA (in EN)
Initial Contributor: LR

The Irish DPA fined Kildare County Council €50,000 for unlawful processing of personal data using CCTV cameras, a lack of transparency, and inadequate security measures.

English Summary

Facts

This case involves an own-volition investigation conducted by the Irish DPA (DPC) into Kildare County Council, the controller. In June 2018, Officers from the Special Investigations Unit of the DPC were authorised to conduct a range of inquiries pertaining to surveillance technologies deployed by state authorities, including An Garda Síochána (the national police) and various local authorities, including Kildare County Council. These inquiries sought to determine whether the data processing was lawful, and also to ensure that full accountability measures for the collection and processing of personal data were in place, in advance of further investment in and deployment of newer surveillance technology.

The investigation into Kildare County Council focused on the following: the legal basis for surveillance technology employed for the purposes of preventing, investigating, detecting or prosecuting crime; the legal basis for surveillance tech deployed for purposes other than preventing, investigating, detecting, or prosecuting crime; appropriate signage and general transparency; and the question of a joint controller agreement between the council and the national police. Furthermore, the authority sought to examine the security measures for traffic management CCTV; housing department CCTV; and the transmission of CCTV footage to An Garda Síochána.

Holding

Issuing its final decision, the DPC began by establishing that not all of the processing of personal data in question is regulated by the GDPR. Any processing of personal data for the purposes of prevention, investigation, detection, or prosecution of criminal offences is regulated by the Law Enforcement Directive (LED) supplemented into Irish law by the Irish Data Protection Act 2018 (“the 2018 Act”). The other personal data processing at issue here is covered by the GDPR. For further information and relevant legal provisions, please see Article 2(2)(d) GDPR, Articles 1 and 2 LED, and Part 5 and 6 of the 2018 Act.

The first issue addressed in the DPC’s decision was the legal basis for the surveillance technologies employed for the purposes of preventing, investigating, detecting or prosecuting crime. In particular, this concerned CCTV systems deployed in a number of housing estates and Traveller caravan parks in the area. While the County Council initially submitted that the lawful basis for this processing was Article 6(1)(c) and 6(1)(d) GDPR, after clarifying that the relevant regime is the LED, the DPC sought to examine the justification for processing in light of this Directive and the 2018 Act. The controller sought to rely on its ‘estate management functions’ as set out in domestic housing legislation, and the powers to combat anti-social behaviour afforded therein. In accordance with the 2018 Act, personal data must be processed lawfully and fairly (Section 71(1)(a)) and the processing will only be lawful where the subject has given their consent, or where the processing is necessary for the performance of a function of the controller for a purpose specified in Section 70(1)(a) and the function has a legal basis in the law of the EU or Ireland (Section 71(2)). Furthermore, for special category data, one of the additional nine conditions in Article 73(1)(b) must be met. After examining the case, the DPC found no requirement to support the development of CCTV cameras in the estates as described above. The cited Irish legislation places no requirement upon the local authority to monitor in this way, and makes no reference to CCTV cameras. Furthermore, given that Irish Travellers are an ethnic group, and their accommodation has a distinct design and layout, the activities also represented the illegal processing of special category data. The DPC found an infringement of Sections 71(1)(a) and 73 of the 2018 Act.

With regards to CCTV cameras located on the grounds of 2 supermarkets for the purpose of detecting illegal dumping. The investigation found that these cameras had not been operational before, during or after the investigation, and accordingly the DPC found no violation of the 2018 Act.

Thereafter the DPC decision addressed the second issue: the legal basis for the surveillance technologies employed for purposes other than for preventing, investigating, detecting or prosecuting crime. In particular, the authority investigated CCTV used for: traffic management; the sharing of live feed traffic with An Garda Síochána; and the use of ANPR cameras, which recognise and digitise number plates. With regard to processing for traffic management, the Council sought to rely on the Irish Roads Act 1993, which places obligations upon public authorities to, among other things, provide for the safety or convenience of road users. Accordingly, the council argued they had a lawful basis for processing was in the public interest (Article 6(1)(e) GDPR). The DPC held that, given the significant potential impact to fundamental rights of a widespread video surveillance system, the Roads Act is not sufficiently clear, precise or foreseeable to constitute a valid legal basis for the processing of personal data in accordance with Article 6(1)(e) GDPR. There was also a complete lack of legal basis for the sharing of a live traffic feed with An Garda Síochána. Furthermore, for the use of ANPR cameras to be lawful under Article 6(1)(e) GDPR, it would be necessary for the legislature to specifically grant power to the local authority to carry out such processing in a manner which is clear, precise and foreseeable for the data subjects. As the Roads Act does not explicitly permit such processing, the Council does not have a lawful basis to operate ANPR cameras. In light of the above, the DPC found that the Council had violated Article 5(1)(a) GDPR in all 3 respects.

The third question investigated was the presence of appropriate signage and general transparency. The investigation found that no appropriate signage had been installed to inform data subjects of the use of CCTV for traffic management purposes. Accordingly, the DPC held there had been a violation of Article 13 GDPR.

Regarding the fourth issue, the DPC investigated the question of whether the Kildare County Council could be considered “joint controllers” with respect to Article 26 GDPR. The Decision finds that while An Garda Síochána used the CCTV footage for the prevention of crime, there is no evidence that the two entities “jointly” determined the purposes of processing. In other words, there is no connection between the Council’s decision to use the cameras for traffic management purposes and An Garda Síochána’s decision to then use the live feed for monitoring and preventing crime. Accordingly, the Council has not violated Article 26 GDPR.

The DPC also made a number of findings regarding the security measures implemented by the Council. The Council failed to maintain a data log that recorded which users had accessed the CCTV cameras, thereby infringing Article 32(1) GDPR. The Council also violated Sections 71(1)(f), 72(1) and 78 of the 2018 Act by failing to implement appropriate technical or organisational security measures when installing the CCTV cameras. Furthermore, by failing to keep a data log, the Council also violated Section 82(2) of the 2018 Act. The Council also infringed Section 71(1)(c) and Section 76(2) of the 2018 Act by recording CCTV of private properties, in the absence of any privacy masking technology. Additionally, the Council infringed Section 71(10) of the 2018 Act by failing to be in a position to demonstrate that its processing of personal data via CCTV cameras at one location was not excessive to its purpose of preventing anti-social behaviour. Finally, The Council infringed its obligations under Sections 71(1)(f), 72(1) and 78 of the 2018 Act in connection with arrangements surrounding the transfer of personal data to An Garda Síochána using unencrypted USB sticks.

Exercising its corrective powers, the DPC imposed a temporary ban on the processing of personal data with CCTV for the purposes of criminal law enforcement and traffic management, until a legal basis can be identified. Furthermore, they imposed an order for Kildare County Council to bring its processing into compliance with the legislation, and imposed an administrative fine of €50,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Kildare County Council - January 2023

Inquiry into Kildare County Council - January 2023

Final Decision: Kildare County Council - January 2023