Hungarian data protection regulator ruling highlights shortcomings of facial-recognition via CCTV


After an investigation of a Hungarian municipality, which installed AI facial-recognitions software within a 39-camera CCTV network, Hungary's National Authority for Data Protection and Freedom of Information (NAIH) ruled that this data processing was unlawful and imposed a fine of HUF 500,000 (EUR 1,250) on the technical service provider.

The ruling stands although the investigation revealed that the CCTV's facial-recognition function had not been activated.

In its investigation, the NAIH found the following deficiencies:

Necessity and proportionality of facial-recognition

The NAIH emphasised that the assessment of necessity and proportionality in the processing of biometric data requires particular care since the processing of biometric data severely restricts a data subject's right to self-determination with personal data.

According to the municipality, the use of AI was justified because thousands of people visit nightclubs on the affected promenade, which corresponded with a drastic increase in crime. It is a regular concern for the investigating authority that perpetrators disappear into the crowd, which they believed could be remedied by applying AI. Reviewing camera footage can take days of investigative work while using AI could significantly reduce this time. However, the NAIH stated that the risk factors do not justify the use of facial-recognition and the underlying legislation does not authorise the municipality to process biometric data.

Shortcomings of the joint controllership agreement

The NAIH found that the cooperation agreement between the municipality and police did not contain any specifics regarding joint control of the CCTV network. The agreement should have addressed issues, such as the tasks and responsibilities related to the fulfilment of the data controller's obligations in the areas of data security, enforcement of data subject rights, record keeping, and breach management.

Inadequate data security measures

Finally, the NAIH identified three deficiencies in the data security measures applied to the CCTV system:

  • Privacy of one of the camera rooms was only protected by a door that opened directly from the public area.
  • Some users were able to log into the system with the same login, but it was not individually recorded who logged in and performed data processing operations. There were also no up-to-date records on the rights and obligations of the various data processing operations.
  • The technical service provider violated the requirement that the data processor should act only on the documented instructions of the data controller when its employee modified, deleted and created roles without the data controller's knowledge.

For more information on data protection and privacy rights in Hungary, contact your CMS client partner or local CMS experts.