With the enactment of the General Data Protection Law (“LGPD”), Law No. 13.709/2018, information privacy and security assumed a prominent role in business routines.
The use of monitoring tools, such as surveillance cameras, is very common in industries, businesses and even in medical and dental offices and service providers.
Art. 5, item I, of the LGPD, defines personal data as “information related to an identified or identifiable natural person”. Thus, the images collected by these cameras are considered personal data, as they are able to identify a natural person.
From the validity of the LGPD, any data processing to be lawful must observe, at least, the following points: (i) have a legal basis that justifies it (articles 7 and 11); (ii) comply with the principles of the Law (art. 6) and (iii) adoption of rules that guarantee the security of information (art. 46 and 47).
Thus, the first challenge is to know on which legal basis the data processing embodied in the capture of images by security cameras is inserted. Beforehand, it is worth clarifying that this is a controversial issue, which depends on the maturing of the culture of privacy and data protection in the national scenario, as well as guidelines from our National Data Protection Authority (ANPD).
The legal bases provided for in the LGPD and which best suit the situation are: legitimate interest (art. 7, IX) and to protect the life or physical safety of the holder or third party (art. 7, VII). The correct subsumption will depend on the purpose of the treatment in the specific case.
The legal basis for consent (art. 7, item I) must be avoided, since it is practically impossible to obtain prior consent from all those who will be registered by the cameras. Furthermore, the logistics to guarantee the revocation of consent would be something of great difficulty for companies.
It is worth mentioning that the use of the legal basis of legitimate interest requires some precautions: (i) adoption of measures that guarantee its transparency; (ii) preparation of the Personal Data Protection Impact Report, which may be required by ANPD; (iii) maintenance of records of personal data processing operations by the controller and operator; and (iv) guarantee of the regular exercise of the rights of the holders, respecting their legitimate expectations and fundamental rights and freedoms.
In other words, video surveillance is legal if it is necessary to fulfill the legitimate interest of the controller or third party, unless such interest is nullified by the interests, rights and fundamental freedoms of the data subject. The legitimate interest can be legal, economic or immaterial. This weighing can only be done in the specific case.
Another pertinent discussion is whether these data would be classified as sensitive, that is, whether they fit into the hypothesis of biometric identification (art. 5, II). To assess this point, it is first necessary to understand the concept of biometric data.
At this point there is already a greater margin of legal certainty, as Decree No. 10,046/2019 defines biometric data as follows: “measurable biological and behavioral characteristics of the natural person that can be collected for automated recognition, such as the palm of the hand, the fingerprints of the fingers, the retina or iris of the eyes, the shape of the face, the voice and the way of walking” (art. 2, II).
Thus, to be considered sensitive data, image processing must aim at identifying a person through biometric data (digital, face shape, retina, etc.). This is the case of cameras with recognition technology, widely used for public safety purposes and which are different from cameras that merely capture the environment. Another situation that can configure the treatment of sensitive data is the cameras installed inside a hospital that, consequently, will capture information related to the health of the holders. In such cases, all precautions regarding the processing of sensitive data must be taken.
In the absence of more concrete guidelines from our ANPD, we can make use of Directive No. 3/2019 of the EDPB (European Data Protection Board) on the processing of personal data through video devices, from which it is possible to extract the following relevant guidelines:
1- The purposes of the cameras must be documented and informed to the holders of personal data and there can be no deviation from the purpose;
2- Before installing a video surveillance system, the controller must always critically examine whether this measure is the most adequate to achieve the desired objective and necessary for its purposes. The surveillance camera should only be chosen if the purpose of the processing cannot reasonably be fulfilled by other means less intrusive to the fundamental rights and freedoms of the data subject;
3 – The position of the camera, storage mode and accesses must be categorically studied so that the purpose is fulfilled in such a way as to affect the privacy and other rights of the holders as little as possible;
4 – In the case of relationships where there is subordination, as in the case of employment relationships, the legal basis of consent should not be used, since it will not be freely granted. Thus, in your adaptation program, the insertion of the consent form in the employment contract will not be legitimate;
5- Any dissemination of images, by any means whatsoever (eg websites, email, chat applications, social networks, to third parties) is only possible provided that it is supported by a legal basis and provided that it fulfills the original purpose. Thus, if an employee publishes images of the company’s internal monitoring circuit on a social network with the exposure of an employee, there is a violation of privacy and data protection, a situation that may lead to the company’s liability;
6- The data subject has the right to obtain confirmation from the controller of the processing of his/her personal data through video surveillance. If no data is stored or transferred in any way (eg there is only real-time monitoring, no storage), the controller can only provide the information that no personal data is being handled. If, however, the data is still being processed (ie when there is data storage or any other form of treatment), the data subject must receive information about the treatment carried out with his data.
7 – The construction of a surveillance system warning must, at least, observe the following guidelines: (i) be positioned in an easily accessible location; (ii) it is not necessary to reveal the position of the camera, as long as there is no doubt about which areas are subject to monitoring and the context of surveillance; (iii) mention the purpose of the treatment; (iv) indicate how the holder can exercise his rights; and (v) identification of the controller.
Case analysis is of paramount importance for a more accurate diagnosis. From now on, it is essential that companies pay special attention to data processing through their internal monitoring circuit, documenting all points in their compliance project, eliminating all treatments without a legal basis, adjusting the positions of their cameras, etc. .
Proof of this is the condemnation of Hering by Senacon (National Consumer Department) for the use of facial recognition technology in its store at Shopping Morumbi, in São Paulo, to trace the profile of its consumers, without the owners’ consent. The conviction was made based on the Consumer Defense Code and with the validity of the LGPD, this matter assumes even greater criticality.
*Juliana Callado Gonçales is a partner at Silveira Advogados and a specialist in Data Protection (www.silveiralaw.com.br)