Can personal data recorded by body-worn cameras be considered directly collected from the data subject? May controllers rely on the more flexible transparency regime of Article 14 GDPR when data are captured automatically, without interaction? The Court of Justice of the European Union dealt with these questions in the Storstockholms Lokaltrafik case, which we analyse below.
ILF’s Hungarian member, Smartlegal Schmidt&Partners summarizes this issue in the article.
- Facts
AB Storstockholms Lokaltrafik („Controller”), the operator of public transport in Stockholm, equipped its ticket inspectors with body-worn cameras that continuously recorded video and audio during inspections.
The cameras had a short circular memory, automatically overwriting footage unless inspectors interrupt the automatic overwriting process which they should do in all situations where a fine is issued and where threats to their person arise.
The purpose of the usage of the cameras was to prevent and document threats and violence against ticket inspectors and to verify the identity of passengers subject to a fine.
- Procedure in Sweden
Integritetsskyddsmyndigheten the Swedish data protection authority (“Authority”) examined the data processing in relation to the body-worn cameras and came to the conclusion that the Controller infringed several provisions of the GDPR[i]. According to the Authority, the Controller had not provided sufficient information to the data subjects, thereby failing to comply with Article 13 of the GDPR. The Authority imposed a fine of ca. EUR 1,4 million.
The Controller challenged the Authority’s decision before the Stockholm Administrative Court, which upheld the fine. The Controller brought an appeal before the Stockholm Administrative Court of Appeal which set aside the judgment of the first instance court and annulled the Authority’s decision as regards to the imposition of the fine. The Administrative Court of Appeal took the view that Article 13 was not applicable to the case.
The Authority brought an appeal against the second instance decision before the Supreme Administrative Court.
- Question to the CJEU
The Supreme Administrative Court was uncertain whether Article 13 or Article 14 of the GDPR shall apply to the data processing where personal data is collected from the data subjects by body-worn cameras.
According to the Supreme Administrative Court the answer to that question is necessary to determine which information and when is to be provided to the data subject, and what are the exceptions to that obligation.
- Article 13 of 14 shall apply?
First, referring to its earlier case-law[ii], the CJEU recalled that Article 13 concerns the information to be provided where personal data are collected from the data subject, while Article 14 concerns the information which must be provided where personal data have not been obtained from the data subject. Article 14 of the GDPR applies solely to cases where the data is collected from a person other than the data subject and where the data is generated by the controller, in the performance of its tasks.
In relation to the application of Article 13, the activity or passivity of the data subject is irrelevant, it is the controller’s act of collecting the data that is decisive. This consideration is also highlighted in the Guidelines on transparency[iii]from which it is apparent that Article 13 of the GDPR applies either where the data subject knowingly provides personal data to the controller or where the controller collects the data from the data subject by observation, in particular by means of cameras.
Furthermore, the Court noted that Article 14 was adopted solely to respond to situations in which the controller is not in direct contact with the data subject but collects personal data from another source and where the provision of the information to the data subject when the data is obtained would be difficult or even impossible. The indirect nature of the data collection justifies the latter provision of the information. However, this is not the case when the data is collected by body-worn cameras directly from the data subject.
Last but not least, applying Article 14 to data collection by body-worn cameras would carry the risk of the collection of personal data escaping the knowledge of the data subject and giving rise to hidden surveillance practices. Such a consequence would be incompatible with the objectives of the GDPR, namely ensuring a high level of protection of the fundamental rights and freedoms of natural persons.
- Comment
With its analysed judgment, the CJEU has closed the door on arguments seeking to downgrade transparency obligations based on the automated nature of data collection.
The CJEU emphasized that personal data collected by body-worn cameras (or other CCTV systems) shall be considered as directly collected from the data subject. The method of collection i.e. the activity or passivity of the data subject is not a decisive factor, personal data is directly collected from the data subject even in cases where the data subject does not “actively” provide the information.
The Court made it clear that in case of camera surveillance, Article 13 applies to the data processing which means that the information required by the GDPR (e.g. purpose of processing, data retention periods, rights of the data subject) shall be provided at the time when personal data are obtained.
In this article we analysed the judgement C-422/24 of the CJEU.
Written by Anita Vereb
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at this link.
[i] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[ii] see Másdi, C‑169/23, EU:C:2024:988
[iii] the Guidelines on transparency under Regulation 2016/679, adopted on 29 November 2017, in their revised version of 11 April 2018, by the Working Party established by Article 29 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data