Do We Have the Right to Access CCTV Images in which We Appear?

As part of the Edgelands x Magnum project, I had to research about the rights we have to access information about the CCTV recordings of cameras in public spaces in Geneva, including who owns the cameras, where are the recordings stored, and how could I access the recording where I appear. This blog post tells the story of that research, the obstacles that I encountered, my findings, and my opinion about this subject, all, from my point of view.

‍

As the diagnostic report and the participatory survey revealed in Geneva, physical security is not really an issue as people feel rather safe. The issues stem from the side of digital surveillance, data privacy and cybersecurity. The world is moving fast on the question of the increased collection of our data, and while people do understand that there are risks and benefits, they feel rather unequipped and unable to follow the pace at which things are evolving. This is why Edgelands’ work in Geneva focuses on using research and art to create spaces of conversations around these issues.

‍

One of our arts partners is Magnum Photos. The Magnum x Edgelands is a three-year project covering six Edgelands cities that focuses on how technology is impacting and transforming our societies. The main goal is to understand if it’s possible to visualise surveillance and security through narrative photography, and how. As part of the second chapter of this project, the Magnum photographer Thomas Dworzak wanted to picture the link between our daily usage of technology and the tracks we leave online, whether we do it consciously or not. For this, Thomas followed the day of seven volunteers, to photograph them in regular situations and capture their digital footprint. Thus, Thomas’s idea was to link the pictures of the volunteers using a digital service (e.g., WhatsApp, or Email servers), or being captured by CCTV cameras, with the physical location where the data collected by each of these is stored.

‍

ℹ️ A digital footprint can be defined as “one's unique set of digital activities, actions, and communications that leave a data trace on the internet or on a computer or other digital device and can identify the particular user or device."

‍

While Thomas focused on the artistic and photography aspect of the project, the Edgelands team focused on tracing the digital footprints to their physical locations. During this phase of the project, many obstacles were met and many things were uncovered, and that’s what I will get into in this blog post.

‍

My first realisation during this project was that we are kind of oblivious to the amount of data that is collected about us during our daily lives. We’ve all heard about stories of our data being sold, we have to agree to cookie policies every time we reach a new website, and so we are aware of the general issue. But what we are not really aware of is the scale of this data collection.

‍

Besides the data collected about us online, there are surveillance cameras throughout the city that record us as we pass near them. Whenever we go into a supermarket, a mall, or any shop, CCTV cameras are recording us. It has become totally normal, and we can often see ourselves on a screen when entering a shop which makes us aware that we are being watched, but we do not think about it for long. The focus of this blog will be the data collected by these cameras, and the process to get information about where these data are stored, and to get access to the specific recordings.

‍

While accompanying Thomas with a volunteer, I was taking notes of the many CCTV cameras we were crossing, and it soon became clear that there were many more than I thought. Even if you are just passing by a shop on the sidewalk, your image could be briefly captured if you are close enough to the entrance. Having worked in other cities (such as London) in projects involving CCTV cameras, Thomas thought that the process of retrieving information about the data and getting the video recordings would be rather easy, but in Geneva it proved to be a more complex task.

‍

Things I had to find out

‍

For the Magnum project, my task was to enquire on three main questions:

‍

1. Who owned the CCTV cameras (or who was responsible for these),
2. Where are the recordings stored, and
3. How could I access the recordings where I appear.

‍

While I was preparing to embark on this mission with these enquiries, I came to my second realisation on this issue: despite working for Edgelands, and taking an interest in the subject, I was clueless as to where and how to start my research. I didn’t know how to get that info, because it is not something I am used to researching. Since I am not used to asking myself these questions and it was my first time doing this type of research, I started from scratch, as any of us would, and I uncovered some other issues.

‍

In addition to not knowing where and how to get that information, I had no idea whether this was available for me as a private individual. I didn't know if it was within my rights to request CCTV footage I appeared on, and to be informed of where the data was processed and stored. Thus, I decide to add a fourth question: what are my rights regarding the recordings made by CCTV cameras in Geneva?

‍

Process of Getting the Info

‍

I started the research of the first three questions by simply looking online. Many of the websites of the places where the Magnum volunteers went (malls, grocery stores, etc.) had either a data and privacy web page with their policy or a confidentiality declaration. However, the majority of these were very general, and mostly considered the data collected when browsing the website. They did not provide info on their security apparatus, such as CCTV cameras, in the location of the shop/mall. For those few that did have extensive information about how and why my data (including images) can be captured, there was no information as to where it was stored, and how I could access it.

‍

Most information about any subject is nowadays just a few clicks away, and in a society which is ever more relying on internet and digital information, the fact that we must go through more traditional communication methods to get that info, not as a choice but as an obligation, translates, in my opinion, as a lack of transparency. This information should be easily accessible and not “hidden”.

‍

Since the info I needed was not available on their websites or online, I had to contact the institutions directly, which proved to be a hassle sometimes. For example, since the majority of the websites, as stated earlier, did not have information on security apparatus, I had to go through their generic phone numbers or e-mail address to ask very specific questions regarding CCTV footage.

‍

For all the 11 institutions I identified, I send them an email with the questions, and in some cases called their information or customer service number. In most of these cases, I found myself in long “hold lines” while I was transferred to various departments, or in long email chains where I was referred from one colleague to another. So it took a lot of time to get to the right interlocutor if I ever got to them.

‍

As an example, with one of the institutions I spent some time on the phone, jumping from one person to another. During the process, most people on the phone asked me if I was from the police or working with the police. This could hint towards the fact that there are not a lot of people asking to have access to the recordings in which they appear, and that most of the requests they have on this subject are with law enforcement or the justice system.

‍

When I finally got the right interlocutor, he explained to me clearly how I could access my images, which was very welcome. In this case, I had to write them giving them the exact details on when I came into the shop and how I was dressed so that they could identify me, blur all the other people on the images, and then send them to me, for a fee.

‍

‍

I was reassured to receive this answer. However, this type of response was the exception. Other organisations replied that those images were restricted to law enforcement, the justice system and their security staff, which made me question my rights once again. How come some institutions would make these images available to me while others wouldn’t?

‍

Additionally, in most cases I had to explain why I was asking for that information. While it can be understandable, it sometimes felt like I had to justify why I wanted to know info regarding my own data. With this I feel torn between feeling reassured that not anybody can simply access information about my data, but in a certain way, having to justify myself for something I felt entitled to make me feel uneasy.

‍

Applicable Laws and What Rights I Have

‍

When I was looking for the rights about my image on the web, I realised that there was more information available for people who own CCTV cameras than for the “subjects” being captured by said cameras. While there are info sheets, for example by the PPDT (Préposé à la protection des données et à la transparence), these mostly focused on the duties of the filming party.

‍

Additionally, I have not found a single info sheet or website which explains, in simple terms, my rights in case my image is captured by a camera, be it on the street or in the mall, for example. I could assume that such information explained in simple terms exists, but the fact that I did not easily find it is a problem in itself.

‍

I learned that different rules apply depending on who is the owner of the CCTV camera. In the case of private and federal institutions, they are subject to the Federal Act on Data Protection (FADP). For public institutions in Geneva, another law is applicable, the LIPAD. Without going into details, the rights for installing and using CCTV cameras are different, as a private institution can’t install a CCTV camera targeting public space such as the streets.

‍

Unfortunately, these laws are not necessarily easy to understand if you are not familiar with legal vocabulary. For instance, Article 8 of the Federal Act on Data Protection defines the right to information, stating that “Any person may request information from the controller of a data file as to whether data concerning them is being processed.” There are other subparagraphs in this article, but it is still difficult to understand whether the “controller of a data file” must provide said data file on the demand of the subject of the data file. I am still unsure as what I am entitled with this law. The next article defines the Limitation of the duty to provide information, which complexifies the understanding of the law since “the controller of a data file may refuse, restrict or defer the provision of information” under some circumstances.

‍

Results

‍

Out of the 11 institutions who were contacted about their CCTV cameras, none gave us precise information about the location of their data center (or where the data was stored and processed). Only 5 institutions answered us that the images were stored and processed in Switzerland or in Geneva. For the other 6, I got either no answers to my e-mails (despite follow-up emails) or they responded that they couldn’t answer those questions nor give us the information.

‍

The reasons why they would not give us answers were rather similar in every case. They mentioned that, as stated earlier, they could not give us this information for privacy and confidentiality reasons. They also mentioned that the info and the footage was only accessible for security staff, law enforcement, and the justice system.

‍

While writing this blog post, I reached out to the institutions who would not give us the info asking them to provide more information to their response, to better understand the stakes in play. I rarely got an answer, and when I did, there was no new information as they were repeating that they could not give me any info on the subject.

‍

Interestingly, I also reached out to the one organisation who sent me images captured by their CCTV cameras asking them why they were giving me access to it since so many other organisations wouldn’t. This is the verbatim answer I got:  

“The FADP gives everyone a right of access to their personal data. An image taken by a surveillance camera is personal data insofar as even if the person who appears in it is not identified, he or she is still identifiable. We do not systematically give the images because the law also gives the right to refuse the sending in case of overriding interest (e.g., communication to the prosecution authorities in case of theft).”

‍

Another interesting thing it that there was not a significant difference in the answers I got whether I presented myself as an individual or as the Edgelands Institute. In the cases when institutions were reluctant to give us the info, the only thing that changed was the speed at which I got answers.

‍

I also tried contacting the PR department of some institutions. I thought that since the security department was not responding, maybe their PR would have some generic information on the subject. I spend some time on the phone with a few of them to explain exactly how and why we were doing this research. They were very cooperative and enthusiastic, however, at the end I would get the same negative answers.

‍

A big question that arose while doing this research was about the causes of why I did not get the info I asked for. Being skeptical, I thought that maybe it wasn’t that they didn’t want to give us the info, but rather that they might not be prepared to answer these questions.

‍

As an example, I reached out to the police to ask where the data from CCTV cameras in a particular neighbourhood was processed and stored, and they told me that they were only the users and did not have the details about it, and redirected me to the OCSIN (Office cantonal des systèmes d'information et du numérique). When I reached out to the OCSIN, the person I had on the phone wasn’t reluctant about helping me, but was rather lost as it was the first time they had this request. After stating that they clearly did not know, they said they would enquire and get back to me, which they never did.

‍

This also raises a very interesting question that has no good answer. Should we be concerned about the fact that the video recordings of the cameras in the places we visit, and their storage information is not easily accessible? This could mean that this data is pretty well secured. Or, on the other hand, should we be concerned about the lack of easily available information about the how, where, and by whom our data is processed, along with the lack of transparency about how we can access it?

‍

In the end, the experience of looking for information about the images I appeared on proved to be complex and more difficult than what I believed at the start of the project. I did not expect it to be that time and energy consuming.

‍

I believe firmly that this is a problem. I did all this work in the context of a work project, but if it wasn’t for it, I think I would have given up shortly after the first obstacles I met. I won’t assume that these processes are complex to discourage people looking for answers and their captured images, but it is a side effect that can’t be taken lightly. I doubt that the lack of information or transparency hides any malevolent intention, but it does show that this subject is not brought up enough by anybody.

‍

24.04.23 Update:

‍

We have received a response from the city regarding our questions, which clarifies that the applicable law for public use is governed at the cantonal level through the LIPAD, rather than at the federal level. The information provided to us includes the following details on this matter:

‍

“Article 42 al. 3 letters a) and b) of the LIPAD provides that public institutions that operate a video surveillance system must take all organizational and technical measures to limit the viewing of data to a restricted circle of persons, whose identity must be communicated to the cantonal data protection officer, and to guarantee the security of the surveillance installations and the recorded data.

As you can see, the law therefore requires public institutions to limit the consultation of data, in this case images, to authorized persons only and to take all necessary measures to guarantee the security of the video surveillance installations.”

‍

They then answered our specific questions:

‍

1. Why is the data storage location confidential?

‍

“Only a strictly confidential location known only to authorized technicians can guarantee the security of the video surveillance system operated by the City of Geneva, as required by law. If the location of the installation were known to everyone, so that anyone could access it, it would no longer be possible to guarantee its security.”

‍

2. Why is it not possible for us to request and access the images we appear in?

‍

“The protection of personal data requires that only a restricted circle of people be able to access them, it being specified that the images are only viewed in the event of a proven attack on people or property. If anyone could freely access the images taken by a video surveillance camera operated by the City of Geneva, the aforementioned requirements set by the law would simply no longer be respected. The fact that the images are only viewed by the person or persons concerned does not change anything. Cameras are only authorized, by law, to guarantee the security of people and property. Any other use would not be in conformity. Moreover, there is no certainty that only the individual(s) concerned can view the images taken by a camera; the person(s) concerned could therefore have access to data that does not concern him or her, which would clearly be against the law.”

‍

With this update, I have to admit that while I have a better understanding of the reasons behind the privacy of this information, I feel a little lost. By stating that the confidentiality of the storage location is necessary to ensure its security, I wonder if publicly known data centers are therefore not secure. Nevertheless, I am reassured to have gotten these answers, even if I find it a bit of a shame to have had to wait 2 months to get them.