An Active Summer for GDPR: Part II, Video Surveillance Data and the US CLOUD Act

In an effort to make sure everyone is up-to-date on the guidelines, decisions, and other relevant changes in European data protection, XPAN is providing a break down of what you may have missed over those relaxing summer months. Last week (available here), we provided a breakdown of the first of two plenary sessions held by the European Data Protection Board (EDPB), where the Board adopted key guidelines related to codes of conduct and certifying bodies under the General Data Protection Regulation (GDPR) .

This week, we are delving into the Twelfth Plenary session, where the Board’s agenda was voluminous and focused on a variety of topics, including video surveillance under the GDPR, the implication of the US Cloud Act on cross-border access to electronic evidence (see our two prior posts giving context on the US Cloud Act here and here), and an opinion on the Standard Contractual Clauses for processors. This blog post is the first of a two-part breakdown of the Twelfth Plenary session. 

Video Surveillance Data

The EDPB adopted Guidelines 3/2019 on processing of personal data through video devices, a topic that is garnering increasing attention from regulators as technology continues to advance at an accelerated rate and become more invasive into an individual’s autonomy. The use of video surveillance is a topic within the United States as well, with San Francisco banning the use of facial recognition technology by the police and a number of states adopting biometric data laws.  

The EDPB’s guidelines sum up the risks to individual privacy under video surveillance as follows:

The intensive use of video devices has an impact on citizen’s behaviour. Significant implementation of such tools in many spheres of the individuals’ life will put an additional pressure on the individual to prevent the detection of what might be perceived as anomalies. De facto, these technologies may limit the possibilities of anonymous movement and anonymous use of services and generally limit the possibility of remaining unnoticed. Data protection implications are massive.  

Guidelines 3/2019, ¶ 1. Because video surveillance can be used to identify an individual, the video constitutes protected personal data under the GDPR. Further, to the extent that any data revealed in the video surveillance would consist of special categories of data, Article 9 applies to that processing as well. ¶ 62. The Guidelines also expressly recognize the “heightened risks” to biometric data (i.e., “raw data, such as the physical, physiological or behavioural characteristics of a natural person”) created by video surveillance, and require that extra precautions be taken when that biometric data is used to uniquely identify an individual. ¶ 72-74. 

As with any type of personal data under the GDPR, a key assessment is whether a lawful basis exists to collect and process the personal data. The Guidelines directly address the lawful basis for processing video surveillance data and caution that it is a fact-specific inquiry that needs to be made for each use case. The EDPB does note that there are likely two lawful bases that will apply in most circumstances: (1) Article 6(1)(f) (legitimate interest); and (2) Article 6(1)(e) (necessity to perform a task carried out in the public interest or in the exercise of official authority). ¶ 16. The Guidelines make clear that “[v]ideo surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific.” ¶ 15. 

The discussion of lawful basis that is likely the most relevant for commercial organizations is legitimate interest. The EDPB clarifies that the interest can be “legal, economic or non-material interests.” ¶ 18. In the event that a data subject exercises her right to object to the processing of her video surveillance data under Article 21, “the controller can only proceed with the video surveillance of that data subject if it is a compelling legitimate interest which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.” ¶ 18 (emphasis in original). There are two components that must be in existence for legitimate interest to apply: (1) it must be “of real existence” and (2) “a present issue.” ¶ 20. 

Further, the Guidelines require that the personal data “be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’), see Article 5(1)(c).” ¶ 24. There are two factors that should be taken into consideration: is this measure (1) “suitable to attain the desired goal”, and (2) “adequate and necessary for its purposes.” ¶ 24. Further, the EDPB cautions that “[v]ideo surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive to the fundamental rights and freedoms of the data subject.” ¶ 24.

Even if there is an adequate lawful basis for the use of video surveillance, the EDPB requires a “mandatory” balancing test to determine “if the legitimate interests of the controller or those of a third party (e.g. protection of property or physical integrity) are not overridden by the interests or fundamental rights and freedoms of the data subject.” This balancing test requires consideration of two factors: “1) to what extent the monitoring affects legitimate interests, fundamental rights, and freedoms of individuals and 2) if this causes violations or negative consequences with regard to the data subject’s rights.” ¶ 30. 

Interestingly, the EDPB makes it clear that any disclosure of this video surveillance data to a third-party requires its own lawful basis (and as such, would require separate analysis under the above guidelines to ensure compliance with the GDPR). ¶ 52. And, the EDPB cautions that the recipient of any such data should conduct its own analysis to ensure that the data is transmitted under an adequate lawful basis. ¶ 54. Disclosures to law enforcement also involves “an independent process, which requires a separate justification for the controller.” ¶ 55.

Finally, the Guidelines address some special considerations for data subject rights when dealing with video surveillance. Even though data subjects have the right to access this data under Article 15, there are limitations. ¶ 91 – 92. Namely, the controller should take into account any potential adverse impacts on other third-party data subjects before providing video surveillance to a data subject. ¶ 93. Data subjects still retain the right to erasure and right to object to processing video surveillance along the lines of other personal data. ¶ 98 – 107. 

So, what does all of this mean for business? There is nothing truly surprising about these Guidelines and, in fact, they provide helpful guidance in the balance between using video surveillance and how to ensure that the appropriate analysis and documentation is in place. Like most of the GDPR, it is about using compliant processing mechanisms and then proving that you are using compliant mechanisms. And, narrowly tailoring the use of that video surveillance to only what is necessary to meet the legitimate interests of the company. 

Cross-Border Access to Electronic Discovery

Earlier this year, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) requested that both the European Data Protection Supervisor (EDPS) and the

EDPB provide a legal assessment as to the impact of the US Clarifying Lawful Overseas Use of Data Act (US CLOUD Act) on the protection of personal data. (The EDPS addresses and oversees the processing of personal data by European institutions and bodies). LIBE’s request ties into the on-going controversy around the transfer of personal data from the EU to the US, with litigation currently pending in the European Court of Justice (see here for an analysis of the current Shrems II case dealing with the EU-US Privacy Shield framework).  

The EDPB, in conjunction with the EDPS, issued a Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection. The legal assessment provided in the Joint Response is limited to the “specific context of requests made by US law enforcement authorities under the US CLOUD Act for criminal investigations purposes.” 

A brief background for context may be helpful: the CLOUD Act directly resulted from a case that was, at the time, pending before the Supreme Court of the United States, the Microsoft case. In short, the US government issued a subpoena for data from a certain individual user that was held by Microsoft and Microsoft stated that it could not comply to the extent that the data was stored on servers located outside of the United States.  (A deeper dive of both the CLOUD Act and the Microsoft case can be found on our blog). Before a decision could be provided by the Supreme Court, Congress adopted the CLOUD Act, which resolved the dispute with Microsoft.

As a result of the adoption of the CLOUD Act, the EU has questioned its application when the data sought consists of personal information that is stored within the EU (and therefore, protected by the GDPR). The Joint Response sums up the quandary succinctly: “The US CLOUD Act therefore entails the possibility that such electronic communication or remote computer service providers are compelled to answer a request by US law enforcement authorities for the disclosure of personal data that are subject to the provisions of the GDPR.” ANNEX, 1. 

The Joint-Response notes that the CLOUD Act is not intended to provide for the “systematic, large scale and/or indiscriminate collection of personal data”; instead, it provides authority for targeted requests specific to law enforcement investigations. ANNEX, 2. However, the full scope of the CLOUD Act is still an unknown:

Other questions regarding the scope of application of the US CLOUD Act remain to be resolved, (e.g. whether it applies to EU operators with some “presence” in the US, and how the concept of “control” is to be interpreted in practice, in particular with regard to affiliated companies of US based companies, established in the EU). 

ANNEX, 2. Therefore, there is a very real possibility that companies could be subject to both the CLOUD Act and the GDPR, creating a conflict in compliance with both legal requirements.

The Joint Response makes clear that, under Article 48, a request from a government authority, if not supported under international law or an international agreement, does not qualify as a legal ground for transfer. ANNEX 3. Since the EU and the US have entered into the Mutual Legal Assistance Treaty, that Treaty governs the transfer of personal data under these circumstances (and such transfers cannot be upheld under the EU-US Privacy Shield or any other such agreement). 

Based on this analysis, the Joint Response cautions that there are only two mechanisms to lawfully transfer data in these circumstances: (1) under Article 6 (lawful basis) or (2) Article 49 (derogation). They provide for a two-part test that “must be applied when it comes to any transfer of personal data to third countries as per the GDPR.” 

  1. “[F]irst, a legal basis must apply to the data processing as such together with all relevant provisions of the GDPR;” and;
  2. Second, “the provisions of Chapter V must be complied with.”

ANNEX, 4. 

The Joint Response makes clear that, in conducting this analysis, “the interests or fundamental rights and freedoms of the data subject would override the controller interest such as not to be sanctioned by the US for eventual non-compliance with the request.” ANNEX, 5. Further, to the extent that a derogation under Article 49 is relied upon for the transfer of data, it should be “interpreted strictly.” ANNEX, 6. 

Ultimately, the Joint Response concludes that “an international agreement containing strong procedural and substantive fundamental rights safeguards appears the most appropriate instrument to ensure the necessary level of protection for EU data subjects and legal certainty for businesses.” ANNEX, 8. And, since the CLOUD Act is not yet recognized by any such agreement, “the lawfulness of such processing cannot be ascertained, without prejudice to exceptional circumstances where processing is necessary in order to protect the vital interests of the data subject on the basis of Article 6(1)(d) read in conjunction with Article 49(1)(f).” ANNEX, 8. While leaving room for additional analysis under this topic, the Joint Response cautions that controllers and processors subject to the CLOUD Act must still ensure compliance with the GDPR.  

While this Joint Response is by no means the end of the conversation, it does provide key insight into the weight of the GDPR, and data protection generally, within the EU.  In essence, the EU is signaling (as it often has in the last year plus of the GDPR’s enforcement), that data protection will be held to a high regard and given the full protection of the law.  

For US companies, the risk of a conflict between the US and EU law is very real. If a company is subject to both the CLOUD Act and the GDPR, it is very important that a full analysis is conducted in order to ascertain how to respond when presented with a US authority request that impacts GDPR protected data. And, this Joint Response is a reminder that a US legal obligation will not satisfy the requirements of the GDPR if it is not memorialized in some type of international agreement. What does that mean in the practical sense? When relying on a legal obligation or legitimate interests in processing data, it is important to recognize the distinction between European obligations and US obligations. 

Next week, we will turn to the remainder of the significant adoptions by the EDPB during the Twelfth Plenary session! And, then on to the real headlines of the summers: the fines and enforcement of the GDPR with key takeaways for companies operating under the GDPR requirements. 

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.