April 5, 2019

Can Computer Vision make Your Video surveillance GDPR-Compliant?

Table of Contents:

Since the General Data Protection Regulation (GDPR) took effect last year, businesses worldwide are now facing the legal implications of non-compliance. Within Europe, both online and brick and mortar companies (B&M) must comply with the stipulations outlined in the statute to protect the personal data of EU-residents or face steep financial consequences.

While computer vision (CV) could potentially help both online and traditional companies avoid violating the statute, below, I’ll outline two CV techniques that companies in Europe that have a physical presence and are seeking to be GDPR-compliant may want to research. First, some background:


What is personal data?

According to the EU, the aim of the GDPR is “to protect all EU citizens from privacy and data breaches in today’s data-driven world.” Personal data is defined as follows:

 Screen Shot 2019-04-05 at 2.18.23 PM

While the verbiage above refers to personal data only in the context of the internet, brick and mortar institutions around the world have long been collecting personal data using a technology that has now become commonplace: video surveillance (such as closed-circuit television or CCTV.)


Video Surveillance in Europe

Back in 2016, it was estimated that over 300 million surveillance cameras were in use globally. While usage across Europe varies among different countries, with some having thousands and others having millions of active video surveillance systems, the market is still snowballing, even with the GDPR in place.




The regulation does not disallow CCTV or other video surveillance cameras. However, its usage now comes with stipulations. Users must, for instance, give data subjects proper notice that video surveillance is in effect. The request for a data subject’s consent must be presented in an intelligible, easily accessible form, so that consent can be freely provided in “clear, plain language,” either through a statement or a clear affirmative act. They must also have a specific and lawful purpose for which video surveillance is necessary and proportionate, which in turn must be communicated to the data subjects before requesting consent.

For B&M businesses and public or private institutions, however, complying to the GDPR may be easier said than done. Austria’s first GDPR fine, for example, was issued, in part, because their cameras were deemed to have captured “too much of the sidewalk.” Considering some 74% of Europe is urbanized, it’s safe to say there are likely many instances of businesses and homeowners, even unwittingly, violating data protection regulations with their surveillance cameras. Compliance may be as easy as changing your camera’s positioning, but where you're legitimate usage of surveillance forces you to film a space that does not belong to you, computer vision (CV) may offer a viable solution.


What is computer vision?

Simply put, computer vision gives computers the ability to “see” and learn from images and videos. A computer vision model can be trained to recognize various concepts in visual data, much like humans can, but with the infinite processing power of computers at the technology’s disposal.

There are two particular CV techniques businesses and surveillance system providers looking to stay GDPR-compliant should investigate as the period of “amnesty” draws to a close: face redaction and facial recognition.


Face Redaction

As outlined here, facial redaction allows you to block out the faces of people captured on video. It is a technique that businesses may find valuable where their legitimate use of a video monitoring system clashes with a data subject’s right to privacy.


Screen Shot 2019-03-21 at 2.14.09 PM

(Source: Sah, Shagan et al. “Detection without Recognition for Redaction.” (2017).)


Back in 2014, a Czech Republic national saw how this could play out when his legal use of surveillance cameras was deemed to have violated data protection standards by the European Court of Justice (ECJ). Having suffered a series of attacks, the homeowner installed cameras to monitor multiple areas including public footpaths and the entrance to a neighbor’s house. When vandals next attacked, they were filmed. Despite being arrested and charged, however, one successfully argued that the system’s usage violated his right to privacy and the homeowner was initially fined.


Facial redaction may be able to help CCTV users to toe that line of a legitimate purpose and privacy rights. For instance, France’s stringent food waste regulations may give a supermarket chain in that country a legitimate purpose in the eyes of the GDPR (i.e., wanting to monitor their waste disposal site to ensure employees are adhering to the food waste laws.) However, if their cameras record footage from a neighboring space, like a shared loading dock or public park, having a CCTV system with facial redaction may be able to offer these businesses some peace of mind*. For instance, if their CCTV system is integrated with both face redaction and facial recognition, the model could be directed to recognize the faces of supermarket employees who have freely consented to surveillance, and so redact any face in the area that it has not been trained to recognize.


*It should be noted, of course, that faces are not the only way by which people can be identified.


Facial Recognition

Facial recognition might seem counterintuitive for the goals of the GDPR, but the technology still has its place in this post-GDPR era. Alongside giving proper notice and gaining the consent of data subjects, the regulations also state that recorded persons have the right to access the footage they have been captured on. Law enforcement can similarly request access to such footage, where it is in the interest of the public.

Neither of these stipulations, however, negate the responsibility business owners and surveillance system providers have to maintain the privacy of any other recorded subjects. As such, they must ensure that any footage they allow access to is relevant. That is, the footage must include the person in question, whether it is the requester himself, or the subject of a criminal investigation.


While the personal data businesses collect cannot be stored indefinitely, the regulations do not define a specified time limit on how long it can be kept, outside of no longer than is necessary for your purpose. As such, you could be required to review weeks’ worth of surveillance footage. A surveillance system that has been integrated with a robust facial recognition platform will be able to quickly process hours of video and accurately identify the face or faces of the relevant individual/s in particular. Using facial recognition, companies may be able to, therefore, save time and resources while still fulfilling their legal obligation to provide certain requesters with relevant surveillance footage. Wherever someone irrelevant to the matter at hand is also present in the video, face redaction may be used to obscure or blur those faces out.


While video surveillance systems are being used to keep us safe and help us become more efficient, with the GDPR and other data privacy laws, users now have to be careful about what and who they film. As EU-based businesses look to comply with the statute, AI technologies like computer vision may be able to help. By investing in surveillance cameras that have been integrated with CV techniques like facial recognition and redaction, businesses may be able to maintain what has become integral to their physical operations and still protect the privacy of their customers, employees, and the general public.


Legal Disclaimer

Advice, graphics, images and information contained in this online site is presented for general educational and information purposes. It is not intended to be legal, or other expert advice or services, and should not be used in place of consultation with appropriate professionals.

In no event shall Clarifai Inc. and its officers and employees be liable for any liability, loss, injury or risk (including, without limitation, incidental and consequential damages, personal injury/wrongful death, lost profits or damages) which is incurred or suffered as a direct or indirect result of the use of any of the material, advice, guidance or services on this site, whether based on warranty, contract, tort, or any other legal theory and whether or not Clarifai Inc. or any of its officers or employees is advised of the possibility of such damages. Clarifai Inc., TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF THIRD PARTIES’ RIGHTS AND FITNESS FOR PARTICULAR PURPOSE.