A Privacy Balancing Act

A Privacy Balancing Act

The privacy of the individual is the ultimate importance

Privacy. It’s gone beyond buzzword into a class of its own: basically, privacy of the individual is of the ultimate importance, and all else must fall away in our efforts to preserve it.

To that end, the European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25. While this regulation is being mandated by the EU, it applies to organizations located in European Union states, organization located outside of the EU processing personal data of EU citizens, and multinational companies that supply goods or services to, and/or monitor the behavior of people in the EU.

GDPR addresses how data (including names, photos, email address, bank details, social media posts, medical information or a computer IP address) is collected, consented, used, processed, erased and controlled. The new legislation essentially sets higher fines for non-compliance or data breaches, and gives people (or, data subjects) more control and visibility over their personal information, what organizations do with it, and for how long. The basic concept is that the data subject, and not the collector, is the owner of his personal data.

According to the new regulations, an individual needs to willingly consent before his data would be collected; data may only be processed under “lawful” circumstances—meaning, there must be a specific purpose that is transparent and known to the data subject.

What is fascinating is that all of this is taking place with a backdrop of a global push for better security, more scrutiny and making the most of contactless biometric technologies, which is considered as sensitive private information.

So how can GDPR, security and biometrics coexist? What are the challenges and in which areas does society need to focus its energy?

Surveillance—More Important than Ever

There are far reaching implications of these new laws. CCTV cameras are commonly used in widespread surveillance systems. These systems can include hundreds, or in public spaces, tens of thousands (or more if you live in London) of CCTV cameras, which constantly record and collect people’s images. Police and other law enforcement officials often rely on these systems. Organizations and facilities also use CCTV cameras as part of their security infrastructures.

Does every person in the public sphere have to give their consent for this type of surveillance? In short, no. Surveillance is a common enough practice that simply having a sign in an area, informing people that they are being recorded, should be enough. If people see the sign, and still opt to enter that space, this demonstrates their consent. In some circumstances, an optional unmonitored passage needs to be conveniently available to ensure willing consent. Additionally, there are legal limitations to storage duration of CCTV recordings fulfilling a GDPR principle of “ensure erasure when no longer needed.”

Biometrics—Entering the Mainstream

The implications of GDPR go beyond basic CCTV cameras though. Increasingly, organizations are opting to deploy biometric systems to identify opted-in users for access control and security purposes. Biometrics are being selected both for their enhanced security, convenience and increased efficiency. Biometric data, good for identification, whether it visual identification data such as face templates or body behavior data, or other types of biometric information including fingerprints or iris scans would be included as Personally Identifiable Information (PII) under GDPR.

With visual identification in particular, which can be passively collected using standard CCTV cameras (unlike fingerprints or iris scans, which must be actively provided by a user), GDPR can pose some serious considerations.

What do you do with the data of all the people who pass by the camera, yet have not opted into the system? What about people who have opted in, but would like to opt-out now? How long can biometric data of subjects be stored when they have not specifically provided consent? And, for what purpose?

What of the Technology Provider?

It is important to note that the provider of the data collecting and processing technology is neither the processor, nor the controller of subjects’ data under GDPR.

To illustrate, computers and smartphones are used for many useful tasks: work, design, programming, entertainment, community, dating, picture albums and more. But, when used to commit an offence such as hacking into other systems, violation of media ownership rights, illegal darknet trades which are considered as crimes, would the computer or operating system software manufacturer be brought to trial for theft? Of course not. The person orchestrating the offence would be held responsible. No one thinks to outlaw computers and smartphones, when they serve such fundamentally positive purposes as well.

So, too, with personal data collection. The provider of the data collecting tools and technologies will not be held responsible when an organization collects or uses such personal data incorrectly. However, the technology provider does have responsibilities to enable and ensure that organizations are well equipped to comply with the regulation.

Responsibilities as a Technology Provider

As a provider of biometric identification technology, it is our responsibility and commitment to the organizations we work with to support the application of GDPR.

To that end, it is clear that technology providers must:

  • Provide the tools necessary for organizations to be able to not save the data of a subject’s data who is not enrolled in the system, or someone who was enrolled and opted out. Technology providers have a responsibility to create this capability.
  • Ensure that subject data would not be manipulated without authorization and would be protected from security breaches. That’s why it is vital for all data collected to be hashed and encrypted, so that if there is a data breach and information is possibly stolen, it is not usable. This protects the organization in the event of a breach from the serious penalties that can be incurred under GDPR.
  • Provide audited interfaces and tools to enable the organization to provide a data subject with a copy of the personal data saved in the system, ability to correct it or be forgotten when needed.

How GDPR Will Evolve in the Future

Ultimately, GDPR will be implemented in the EU and could be further enhanced according to norms for each member state. This is changing as well. The public is beginning to understand the efficiency that biometric identification brings with it. People like the idea of walking into their favorite shop and being welcomed by name.

Air travelers appreciate the convenience of passport control being automatically handled through biometrics without having to stand in the regular queue.

Of course, there will always be those who prefer to remain as anonymous as possible, and it is up to those involved in all perspectives related to GDPR to make sure anonymity is available.

The Changing Times

The trend is in favor of the public trading off some level of anonymity for the benefits that data-based identification can bring. Surveys show that up to 95 percent of people are interested in providing personal information when they stand to receive tangible benefits.

We should all support what GDPR is trying to accomplish. After all, privacy is still extremely important to people around the world. Yet, we have to periodically reexamine the degree to which there is a demand for what GDPR protects (namely, personal privacy), and make adjustments to the laws accordingly.

In that way, we can continue to move forward, allowing technology to increase safety, convenience and efficiency in our lives without compromising the privacy we all consider to be of sacred status.

This article originally appeared in the April 2018 issue of Security Today.

Featured

  • AI to Help Resolve Non-Emergency Calls Across Utah and Decrease 911 Caller Wait Times

    The Utah Communications Authority (UCA), which oversees the state’s next generation 911 technology services, recently announced that public safety answering points (PSAPs) throughout the state plan to implement Motorola Solutions’ Virtual Response technology to automate the receipt and resolution of 10-digit non-emergency line calls in Utah with the help of AI. Read Now

  • Report: 2025 Video Surveillance Market Set to Grow After Small Decline in 2024

    Novaira Insights has unveiled its latest report, “World Market for Video Surveillance Hardware and Software – 2025 Edition.” The research indicates that the global market for video surveillance hardware and software experienced a slight decline of 0.3% in 2024. This performance fell short of previous forecasts, primarily due to a significant decrease of 7.8% in the Chinese market. Conversely, the rest of the world saw a growth of 4.9%. The global market for video surveillance equipment was estimated to be worth $25.0 billion in 2024. Read Now

  • Report Reveals Local Governments Face Surge in Ransomware Attacks with Minimal Resources

    KnowBe4, the cybersecurity platform that comprehensively addresses human risk management, recently released new research highlighting the critical cybersecurity challenges facing state, local, tribal, and territorial (SLTT) governments. The report details how government organizations have become prime targets for cybercriminals while simultaneously facing severe resource constraints. Read Now

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities