Purpose limitation and data minimisation
One of the goals of the sandbox was for the Data Protection Authority to assess the significance of Doorkeeper’s solution in the context of the principles of purpose limitation and data minimisation.
Purpose limitation
Before an enterprise can process personal data, it must clearly define the purpose of the processing. Closely related to this is the principle of purpose limitation. Purpose limitation entails that personal data may only be processed for specified, explicit and legitimate purposes. Personal data must not be processed in a manner that is incompatible with these purposes.
When the processing of personal data begins, the purposes shall already be defined. This entails that personal data may not be processed simply because it may prove useful in the future. The purposes must be defined and explained in a sufficiently specified manner. This means that the “data subjects” – i.e. the persons whose data the enterprise is processing – must have a clear and unambiguous understanding of what the personal data will be used for. That the purpose must be legitimate means that – in addition to having a legal basis – it also must comply with other ethical and legal standards.
Data subjects have the right to understandable information about the purpose of the processing of their personal data (in accordance with Article 12, 13, 14, and 15). It is therefore important that the purposes are defined in a specific and transparent manner and documented in writing.
If an enterprise wants to make use of video monitoring, it will not be sufficient to refer to a vague and unspecified reason, such as “security”. The purpose must be defined more specifically and must be tied to a real need, e.g. imminent risk of theft or vandalism. Monitoring for specified security purposes may also not be used for other, incompatible purposes, such as the monitoring of employees.
Data minimisation
Data minimisation is a key principle enterprises must consider for compliance with data protection legislation. This legislation – including the principle of data minimisation (lovdata.no) – requires that the data used must be adequate, relevant, and limited to what is necessary to achieve the purpose for which it is being processed. This means that one cannot process more personal data than what is necessary to achieve the purpose.
Modern video monitoring technology – including Doorkeeper’s solution – has the potential to make the processing of personal data less invasive, and it is possible to prevent the collection of data that is not relevant for the purpose.
Data minimisation in practice: intelligent video analytics of the traffic network
Doorkeeper has considerable control over which types of personal data that is registered in the solution. In line with this, Doorkeeper and the Data Protection Authority have discussed two hypothetical examples that illustrate how the solution may facilitate data minimisation. Both examples involve the registration of vehicles in the traffic network.
The sandbox project has not made any further legal assessments of the examples – such as whether there are more suitable measures than the use of video monitoring.
Example 1:
The purpose of the monitoring is to register the number and type of vehicles in the traffic network using intelligent video analytics. The purpose is to register the number of vehicles with various classifications (passenger cars, passenger cars with trailers, buses, motorcycles) that are using Norwegian roads.
Doorkeeper found that it is theoretically possible to register the number and types of vehicles without making recordings or transferring a video feed out of the camera body. For example, the system can run a code in the camera body that converts local recordings of vehicles to figures that summarise the number and types of vehicles. Although the video feed is being processed in the camera body – which would indicate that personal data is being processed – the processing will potentially be significantly less invasive for the privacy of road users than in solutions based on continuous video recordings or other methods that involve the storage of personal data.
If it is technically possible to achieve the aforementioned purpose with a form of analysis where no personal data is being processed, the data minimisation principle indicates that this alternative must be chosen.
Example 2:
The purpose of the monitoring is to identify fire and smoke in the road network, to send notifications about traffic accidents. In this case, it could be appropriate to have a camera capable of transferring a recording if an event is detected. Recordings of roads would, however, entail that Doorkeeper (or the customer) is processing identifying information, such as faces of drivers or passengers and vehicle registration numbers. In addition, other text on vehicles may constitute personal data, as company names can often be linked to a specific natural person.
In this case, it will be appropriate for the data controller to limit what is collected in terms of identifying data in the video feed. Censoring of both faces and vehicles (including text that may display company names, etc.) would therefore be appropriate to ensure data minimisation.
The necessity of processing and consideration of alternative measures
If, for example, the data controller wants to prevent crimes against their property, the data controller may, instead of installing a video monitoring system, consider implementing alternative security measures, such as a fence around the property, regular security inspections, security guards, ensuring better lighting, installing security locks, making windows or doors burglar proof, or installing anti-graffiti coatings on the wall. In each case, the data controller must consider whether alternative measures could be less invasive on the privacy of individuals.
Before the data controller adopts the use of a video monitoring system, the controller must assess where and when video monitoring is necessary.
Who is responsible for ensuring compliance with these principles?
Pursuant to the General Data Protection Regulation (GDPR), the data controller is responsible for compliance with the requirements for processing of personal data – including the principles of purpose limitation and data minimisation.
The data controller determines the purpose of the processing and which means – such as technical solutions – to use to achieve this purpose. Who the data controller is will be determined based on the actual circumstances. In other words, the party making the decision of whether or not processing will take place and defining the purposes of the processing and how the processing will be handled, will be considered the data controller.
As a general rule, the data controller will be the customer purchasing a free-standing camera, or a security/monitoring system where video monitoring is included. In cases where the provider is processing personal data on the customer’s behalf, the provider will be a data processor.
Depending on which services a camera provider is offering, the provider may be the data controller for part of the processing when a video monitoring system is used. Sometimes, for example, the provider will process some types of personal data to adjust the algorithm after an event on the customer’s premises, to ensure that the algorithm functions as intended for other customers. If two or more data controllers jointly determine the purposes and means of the processing of personal data, they will be considered joint controllers (Article 26). This sandbox project has not considered whether Doorkeeper is a data controller, joint controller or a data processor pursuant to the GDPR.
A provider of a video monitoring system which, after a specific assessment, is not deemed to be the data controller, will in principle not have any direct responsibility for upholding the data minimisation principle. Nevertheless, it is important that the video monitoring system delivered makes it possible for the data controller to comply with the regulations in practice. In the opposite event, the provider's customers will not legally be able to use the system for the processing of personal data. It is therefore important that Doorkeeper takes a conscious approach to data minimisation in the development of its service, regardless of whether or not the company is deemed to be the data controller.
The same will apply for the rule relating to privacy by design as established by Article 25 of the GDPR. This provision specifies that the data controller must implement appropriate technical and organisational measures for ensuring effective implementation of data protection principles and protection of the rights of data subjects. Furthermore, measures shall be implemented to ensure that, by default, only data necessary for each specific purpose of the processing is processed. Similar to the data minimisation requirement, the requirement of privacy by design is a duty of the data controller, and it will be relevant for Doorkeeper to consider this.
Because the data controller must, in any event, ensure privacy by design in any solution they use, it would be easier to choose a solution that already has this built-in from the start, compared to adding data protection to a solution that does not have it. Customisation of off-the-shelf solutions after purchase can be expensive. Solutions that have privacy by design could therefore, in many cases, have a competitive advantage over solutions that do not.