By Teresa Basile, Christine E. Lyon, and Janelle J. Sahouria of Morrison & Foerster
Spain’s strict new limitations on video surveillance
In recent months, Spain has imposed substantial new restrictions on video surveillance and other types of videotaping of individuals without their consent. These developments underscore important differences between U.S. and Spanish privacy law.
Spain’s approach to video surveillance is illustrated by a recent enforcement action, in which Spain’s Data Protection Authority (the AEPD) fined a 20 year-old for posting a video on YouTube without the consent of the individual shown in the video. This case received significant media attention, as the video showed a group of teenagers harassing a disabled person, and led to public outrage over the mistreatment of the victim. The AEPD investigated the incident and determined that the videotaping violated Spain’s Data Protection Law (the LOPD) because the victim had not consented to being recorded. In a subsequent statement, the AEPD explained that the LOPD generally requires a person or entity making a video recording to obtain the consent of each person who can be identified in the video recording: “The collection of images of a person, as long as [the images] allow the identification of that person, is regulated by [the LOPD] and requires the consent of the person involved.” This consent obligation applies even if the individual is videotaped in a public location, as discussed below.
Applicability of Spain’s data protection law to video surveillance
The LOPD provides that “the processing of personal data shall require the unambiguous consent of the data subject, unless laid down otherwise by law.” Processing is broadly defined to include collection, recording, storage, or transfer of personally identifiable information. The AEPD has explained that “collecting the images of a person in a public place constitutes data processing” as long as the images allow identification of that person. In other words, Spain recognizes an inherent right not to be videotaped without consent, even in public locations. This is a noteworthy difference from U.S. law, which generally recognizes a privacy interest only if the individual had a reasonable expectation of privacy in the location where the video surveillance occurred.
This leads to the question of whether a company operating in Spain may use video surveillance within its facility. In general, video surveillance may serve multiple functions: protecting the safety of employees and customers in publicly accessible areas (such as retail areas), identifying theft by customers or employees, and deterring theft and other misconduct. The AEPD recently issued guidelines for video surveillance, which attempt to balance individual privacy rights with the legitimate purposes served by video surveillance.
New video surveillance guidelines
The new Video Surveillance Guidelines (the Guidelines) must be read as a complement to Instruction 1/2006 on the processing of personal data when using cameras or video cameras for security purposes.
In general, the processing of personal data by means of video surveillance systems requires the data subject’s consent. Exceptions to this rule can be found in the Spanish Private Security Law and in section 20 of the Labor Statute, as described in more detail below.
When using video surveillance systems for security purposes, private companies must comply with certain requirements.
First, before creating any databases that contain video surveillance files, private companies must notify the AEPD of their intention to create video surveillance files. In comparison, there is no need to notify the AEPD when video surveillance systems are used to simply play or broadcast images in real time (without storing such images as files).
Second, private companies have a duty of information vis-à-vis those individuals whose images are to be captured. Organizations must place at least one sign in zones that are under video-surveillance, notifying individuals that they are under surveillance. These signs must be placed “in a sufficiently visible zone, in open as well as enclosed spaces.” In addition, organizations must provide affected individuals with certain information as required under the LOPD.
Third, organizations must ensure that technical and organizational measures are in place to guarantee the security of the data, and to protect against alteration, loss, or unauthorized processing or access to the video surveillance files.
Lastly, the video surveillance files can be stored for a maximum of one month, unless data are needed for purposes of criminal or administrative investigations.
In addition to the above rules, another set of requirements is prescribed for those organizations wishing to use video cameras for monitoring purposes in the workplace. Section 20.3 of the Spanish Labor Statute allows the video monitoring of employees, without their consent, in order to check that employees are fulfilling their labor obligations. Nonetheless, there are minimum requirements to be observed by the organizations:
- There must be no other alternatives or more appropriate means to accomplish this purpose than the use of such video surveillance;
- The implementation of video surveillance systems must be strictly limited to the uses and locations necessary for fulfilling the purpose of the employee monitoring;
- Video surveillance systems cannot be located in facilities meant for employees’ private use (e.g., toilets, restrooms, or recreation rooms);
- Employees’ right to their private lives must be respected, and private conversations cannot be recorded;
- Organizations must fully respect their employees’ information rights (i) by notifying the employees’ union representatives that a video surveillance system is to be put in place, (ii) by placing the information sign described above as set out in the Instruction 1/2006, and (iii) by means of a personalized notice;
- In cases where video surveillance files are created, the notification requirement described above applies;
- Employees’ images must be deleted within 30 days, unless these data are needed for investigative purposes (crimes or non compliance with labor obligations);
- Employees’ rights of access to and erasure of their images must be guaranteed;
- Organizational and technical measures to secure data must be implemented; and
- The company retained to install the video surveillance equipment must comply with specific requirements pursuant to Spanish sector based law.
Additionally, video surveillance systems installed by financial entities are governed by separate sector specific laws.
Penalties for non compliance
The AEPD is empowered to enforce the LOPD and levy fines for violations. Penalties are based on the severity of the infringement, but the fines can be very harsh compared to those imposed in other European Union Member States. In 2007, the AEPD collected ?19.6 million in fines. Additionally, the Spanish Criminal Code allows imprisonment for certain violations of the LOPD (e.g., unauthorized access to personal data, use, or theft of such data).
While Spain has stricter rules on video surveillance than many other EU Member States, Spain’s approach demonstrates general principles that apply in all EU Member States:
1. Privacy rights in the EU are not limited to situations in which an individual has a reasonable expectation of privacy, or a reasonable expectation that he or she will not be observed. To the contrary, EU data protection laws recognize an inherent right of privacy against surveillance, even in the workplace or other public places.
2. A company cannot diminish these EU privacy rights simply by announcing its intent to conduct surveillance or monitoring. Notice is a fundamental requirement of EU data protection laws, but notice does not in itself suffice, because other obligations arising under those laws must also be met.
For these reasons, companies operating in Spain or other EU Member States should exercise caution in implementing video surveillance or other monitoring practices, even if the same practices are acceptable in the U.S. or other countries.
Christine Lyon is a partner in the Palo Alto office of Morrison & Foerster LLP. Her practice concentrates on privacy and employment law, including counseling, litigation, and transactional work.
Janelle Sahouria is an associate in the San Francisco office of Morrison & Foerster, where she is active in the firm’s pro bono efforts.
Teresa Basile is an associate in the Brussels office of Morrison & Foerster LLP and is a member of the firm’s Litigation Department. Her practice includes advising multinational companies on different aspects of EU competition law, such as cartels, mergers, and abuse of dominance, as well as data protection and privacy law at both the EU and national levels.