The purpose of this sandbox project is to explore some of the most relevant regulatory challenges that arise in connection with the use of intelligent video analytics.
Legal basis for intelligent video analyticsIn the sandbox, we have explored legal issues associated with three different areas of application for Doorkeeper’s solution. These issues are transferable to other enterprises that are developing similar solutions. One key point is that intelligent video analytics, which are designed to make the processing of personal data less invasive, may affect the legality of the processing pursuant to data protection legislation.
Alternative solution designsDoorkeeper has two alternative designs for the use of intelligent video analytics. The analysis and censoring either takes place inside the camera body, or on an external platform. The choice of design impacts how personal data is processed in the solution. In this report, we discuss how this may have consequences for how invasive the monitoring is for the individuals recorded in the video feed.
Data minimisationThis report demonstrates that it is possible to implement data minimisation measures in intelligent video analytics. Such measures may be implemented by configuring the solution to limit the amount of personal data collected and processed to what is necessary for the purpose. The presence of functions in monitoring systems that make processing of personal data less invasive will also require enterprises in the security industry to assess, to a greater extent, the types of personal data they need to be processing to achieve the purpose of the monitoring.
Disclosure of personal dataDoorkeeper’s solution is designed to store less personal data that may be disclosed, compared to cameras that make continuous recordings. This could make it easier for enterprises like Doorkeeper to comply with requests for access, as the enterprise will store fewer recordings that may be relevant. The rules for disclosure of personal data, however, will be the same for Doorkeeper as for all other data controllers.
Security issuesIn the sandbox, we have discussed how Doorkeeper must ensure to maintain security within the solution. This entails that security must remain up-to-date with technological developments, that any vulnerabilities must be addressed and handled immediately, and that data must be deleted once the purpose has been achieved.
In the sandbox, Doorkeeper has explored questions they have had in the development of intelligent video analytics, with potential functionality that enhances data protection. Doorkeeper may use the discussion in this report to better comply with requirements of data protection legislation and ensure better data protection within the solution. The Data Protection Authority also hopes the discussion can be useful for other enterprises developing similar technology.
Through these sandbox activities, the Data Protection Authority has also learned a great deal about the possibilities inherent in intelligent video analytics. We will use this new knowledge to further improve our informational work.
What is the sandbox?
In the sandbox, participants and the Norwegian Data Protection Authority jointly explore issues relating to the protection of personal data in order to help ensure the service or product in question complies with the regulations and effectively safeguards individuals’ data privacy.
The Norwegian Data Protection Authority offers guidance in dialogue with the participants. The conclusions drawn from the projects do not constitute binding decisions or prior approval. Participants are at liberty to decide whether to follow the advice they are given.
The sandbox is a useful method for exploring issues where there are few legal precedents, and we hope the conclusions and assessments in this report can be of assistance for others addressing similar issues.