Estonian court grants data regulatory body authority to issue written evaluations

In a landmark ruling, the Tallinn Circuit Court has validated the enforcement powers of data protection authorities under the General Data Protection Regulation (GDPR). The case, which emerged after a neighbour's complaint about CCTV cameras capturing both private property and public road areas, has significant implications for the marketing industry's use of surveillance and monitoring technologies.

The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) issued an enforcement order on February 2, 2023, requiring the controller to halt all filming outside their property boundaries or submit a written legitimate interest assessment for continued surveillance of public areas.

The court characterized the order as "appropriate" and "not disproportionate" for ensuring GDPR compliance. This ruling establishes that authorities can require such measures as appropriate means of achieving GDPR compliance in particular circumstances.

The accountability principle under Articles 5(2) and 24(1) GDPR was cited as the legal basis for the court's requirement for written documentation of legitimate interest assessments. The ruling also emphasized that "direct or indirect" identification capabilities trigger full data protection obligations regardless of controllers' stated intentions.

The court determined that individuals remained identifiable at distances covering both the neighboring property and public road areas, supporting the authority's jurisdiction over the surveillance system under GDPR provisions. Systems capable of individual identification require appropriate legal bases and compliance documentation, even when deployed for aggregate analytics purposes.

Companies cannot rely solely on vendor claims or internal assessments when demonstrating GDPR compliance to supervisory authorities. Instead, they must align technical implementations with legal justifications.

The European standard EVS-EN 62676-4:2015 provides specific pixel resolution requirements for different identification levels in video surveillance systems. These technical specifications directly determine whether surveillance systems process personal data under GDPR definitions.

The Tallinn Circuit Court's decision validates the enforcement powers of data protection authorities under Article 58(2)(d) GDPR. The controller's argument that requiring written assessment of legitimate interest exceeded the authority's powers under GDPR was rejected by the court.

The ruling establishes that enforcement orders need not identify specific legal provisions mandating written documentation. This means that data protection authorities have the discretion to require written assessments in certain cases, even if there is no explicit provision in the GDPR requiring it.

The Estonian ruling carries significant implications for marketing companies deploying CCTV systems for customer behaviour analysis or security purposes. They must now prepare for potential written assessment requirements when authorities investigate their practices.

In conclusion, the Tallinn Circuit Court's decision reinforces the importance of data protection compliance for all organisations, particularly those using surveillance technologies. It serves as a reminder that data protection authorities have the power to enforce GDPR regulations and that companies must take their obligations seriously.

Estonian court grants data regulatory body authority to issue written evaluations