Recently there was an interesting Austrian Supervisory authority decision imposing a fine of Euro 600 on a owner of Tesla Car . The car owner had installed seven cameras which could film when the car was parked recognizing possible threats. The argument of the Supervisory authority was that it could film people who were not threats and the data subject was not informed about the filming.
This decision indicates that the “Security” of the individual was considered subordinate to the principle of “Privacy”. Secondly it did not matter that the Car owner had no way to filter the recording to only those persons who were considered threats and delete those who were not.
There is no doubt that this decision is one of those crazy decisions for which GDPR supervisory authorities are known. However the new Digital Omnibus Proposal could change things here since the owner of the cameras has no identity of the persons whose pictures have been captured and hence the data will not be considered as “Personal Data”.
If the persons in the camera are identified, it would be through an additional process of matching of the faces with a facial recognition software and who so ever uses this process would be liable for infringement of privacy and obtaining consent. The Car owner who has recorded the video and does not distribute it or sell it for exploitation should be free from liability.
Further, if the data is captured by the cameras and is over written automatically, and referred only when there is a security incident, then the capture automatically get deleted within a reasonable time and hence should not be a violation of privacy principles.
Further the car owner should consider that it is Tesla which perhaps has failed to provide appropriate guidelines for the Car users on how to handle the captures without violating GDPR. Tesla should perhaps indemnify the car owner.
One more point to debate is that if the Car is parked in a public place, the captures would be of the public space. Hence if any body else expose themselves in front of this camera, they would perhaps be also considered as being in public place. It is our view that when a person enters a “Public Space” he is voluntarily exposing himself to public and should not commit any activity which he would like the privacy law to protect.
Further, to consider an individual car owner trying to protect his property as a Data Controller and imposing him the liabilities of GDPR Compliance is simply crazy. By this standard, all “Dash board Cameras” and “Reverse Parking Cameras” are also violating GDPR because any body can come in front of such cameras.
The decision is unacceptable and should be considered as an aberration.
The case opens up many academic points for debate. Comments are welcome.
On the lighter side, now the potential for GDPR Compliance training is open to all individuals who may be considered as “Data Controllers” whenever they use their mobiles to take pictures in public or install CCTV cameras anywhere!
It was alarming to see that there were 210 decisions from different supervisory authorities since 2020 where GDPR authorities have fined individuals. This requires a debate of its own.
Naavi
Ref: https://www.enforcementtracker.com/ETid-2975
