Sweden: IMY publishes blog on use of privacy-friendly technology in CCTV
On July 4, 2023, the Swedish Authority for Privacy Protection (IMY) published a blog on the implications of employing privacy-friendly technologies, such as digital masking and pixelation, in camera surveillance systems. The IMY clarified that the initial collection of surveillance footage often involves the processing of personal data and is therefore regulated by the General Data Protection Regulation (GDPR), and occasionally the Camera Surveillance Act (CSA).
The blog also noted that, in a recent supervisory decision against a municipality, IMY held that the collection, processing, and transfer of pixelated images is regulated by the CSA. The IMY explained that, while pixelation offers some level of privacy, it does not guarantee complete anonymity due to distinctive features such as body shape, movement patterns, or other attributes which can be used to identify people. According to the IMY, this is particularly relevant in environments frequented by the same individuals, such as schools.
In addition, the blog outlined two procedures entities can follow to get a privacy assessment by the IMY for new surveillance technology, namely:
- an application for camera surveillance permission, however, this is limited to entities required to seek permission, such as public authorities, schools, and hospitals; or
- a person responsible for data processing can request a prior consultation, after completing a Privacy Impact Assessment that identifies high unmitigated risks to personal data.
Moreover, the IMY urged entities to be mindful that privacy-enhancing camera surveillance technology often still involves the processing of personal data, necessitating compliance with the GDPR and the CSA.
You can read the blog, only available in Swedish, here.