Limerick council fined for installing CCTV cameras with no lawful basis
Picture: St St Cctv Limerick Of 22 And Installed On Press Glentworth A Camera In Catherine The Corner
Limerick City and County Council has been hit with a €110,000 fine and a reprimand by the Data Protection Commissioner (DPC) regarding its use of CCTV cameras across the county.
In the culmination of an investigation lasting more than three years into the council’s CCTV practices, the DPC found it to be in breach of the EU General Data Protection Regulation (GDPR) in 50 separate instances.
The investigation surrounded the installation of more than 250 cameras with no lawful basis over the past 15 years and all associated data protection concerns regarding same.
The DPC found that, in multiple instances, there was no legal basis or Garda authorisation for the installation of cameras.
It found that many cameras were being used for purposes other than that for which they were intended, and that the cameras had advanced technology, such as automatic number plate recognition (ANPR, which can be used to track a private individual’s movements), without the correct authorisation.
The commission found that the council has no lawful basis for the processing of personal data for traffic management purposes, and that it had infringed the GDPR by refusing subject access requests regarding personal data.
It said, likewise, that the council had breached the GDPR by failing to make its CCTV policy more easily accessible and transparent.
The council has between 90 and 120 days from the date of the decision to turn off the various cameras found to have been in breach of the GDPR, “until a legal basis can be identified”.
The €110,000 fine represents over 10% of the maximum €1m penalty imposable on an Irish State body.
It added that CCTV is used “around the world … to improve traffic management, urban mobility, and to make the streets safer and more efficient for every user”.
The investigation found that the council had been granting unlawful access to the gardaí at their Limerick headquarters to its camera feeds without the correct authorisation, and had failed to keep a log of such usage.
It also found that, on foot of verbal requests by the gardaí, council staff had been conducting “targeted surveillance” on private individuals using the cameras without a legal basis.
The DPC found that cameras had been installed at nine Traveller halting sites around the county without a legal basis.
It further found in many instances that no signage existed to inform people they were subject to CCTV surveillance, and that no data protection impact assessments (DPIAs) — a prerequisite under the GDPR — had been conducted in terms of the council’s use of drones.
Limerick solicitor Rossa McMahon, a partner at PG McMahon solicitors in Newcastle West, had first raised his concerns regarding the council’s usage of CCTV in 2017, with the subject subsequently taken up by the DPC in the context of all 31 local authorities.
Mr McMahon described the DPC’s published findings as “damning and comprehensive”, though he said the fine imposed “could have been a lot worse”.
“They [the council] seem to have gotten almost everything wrong, from DPIAs to transparency, and even basic things like access requests,” he said.