(France) CNIL, the French data privacy regulator, has received more than 1,000 complaints in relation to video surveillance. In making one particular case public, CNIL appears to wish to draw attention to the issue under GDPR. CNIL France reports as follows:
On November 5, 2019, the President of the CNIL gave notice to Boutique.Aéro to bring its video surveillance system into compliance.
In March 2019, the CNIL carried out an on-site inspection in the company’s store located in Haute-Garonne.
The main result of the audit was that the company uses a video surveillance device, in particular for the purpose of locating all employees. In addition, the CNIL noted that one of the employees is continuously filmed at his work station.
This device is contrary to the General Data Protection Regulation (GDPR). Indeed, except in special circumstances, video surveillance systems which place employees under constant surveillance are excessive, and infringe their individual freedoms.
The President of the CNIL therefore put the company on notice to reorganize its video surveillance system. In addition, the CNIL noted other shortcomings relating to the lack of information for employees, to security, to the absence of keeping a register of processing activities and to the absence of a contract binding the company and its subcontractor.
Given the intrusive nature of the video device and the need to educate employers on the implementation of these devices, the CNIL has decided to make this formal notice public. In general, the CNIL recalls that it received a little more than 1,000 complaints in 2018 regarding video surveillance, which demonstrates the increased sensitivity on this subject of the people concerned.
This formal notice is not a sanction. Indeed, no follow-up will be given to this procedure if the company Boutique.Aéro complies with the law within the time limits which are allotted to it, that is to say ten days and two months according to the failures retained. In this case, the closure of the procedure will be given the same publicity treatment. If the company does not comply with the formal notice, the President will seize the restricted formation of the CNIL which may pronounce a sanction.
(Privacy press clipping sourced via CNIL France)
CNIL appears to be interested in making the point that unrestricted surveillance of employees, in the workplace, will infringe the GDPR. CNIL cites education in making the Boutique.Aero case public via a press release.
Employers need to be able to justify the use of surveillance cameras in the context of their business. CNIL has indicated on more than one occasion that it will be difficult to justify the ongoing surveillance of employees carrying out their work duties. “Special circumstances” would be required to justify such surveillance, going by the wording of CNIL’s 10 December 2019 release. CNIL has not said what these circumstances would be, or given any examples.
Ongoing or intrusive surveillance, perhaps with the intention of monitoring productivity or “keeping tabs on workers”, will not be a purpose that is permitted under the GDPR. Rather CNIL considers that such surveillance will breach the fundamental human rights of employees in France. In the Boutique.Aéro case, CNIL was at pains to observe that “one of the employees [was] continuously filmed at his work station”. It is clear that such placement and use of cameras by employers could be subject to fines by CNIL. It is also clear however that CNIL prefers to approach enforcement with warnings, cautions and education first – moving up the scale to fines if behaviors do not change or there is evidence of intentional disregard of the data privacy laws.