The danger from biometric and security cameras in Kosovo

Open Data Kosovo
6 min readJan 31, 2023

--

Author: Kreshnik Gashi (kallxo.com)

Image Source: kallxo.com

Located in every area and in every corner, uncontrolled security cameras continuously violate the privacy of the citizens of Kosovo.

The most dangerous are the biometric ones and the cameras that record audio and are located in public spaces.

The data of the Information and Privacy Agency (IPA) show that during 2022 this Agency managed to establish that in 107 cases the security cameras processed personal data in violation of the law, while in 10 cases it was the institutions themselves that had not respected the standards of proper placement of cameras.

According to the law, security cameras in public spaces can only be controlled by the Kosovo Police, and 10 municipalities violated this. After the Agency’s inspection, municipalities were obliged to respect the law and leave the Police to control the security cameras in those public spaces.

According to the Agency’s report, irregularities were encountered in the municipalities of Prishtina, Graçanica, Gjakova, Peja, Fushë-Kosova, Mamusha, Junik, Istog, Partesh and Ranillug. These municipalities were obliged to delete the data and transfer the control to the Police.

Biometric scanning technology captures data through photographs, video and fingerprints to identify people through computer software. Such technology is used in biometric passports and biometric ID cards, while the widespread use of this technology is prohibited because it collects too much personal data.

Despite the fact that cameras of this nature are limited, they have been found in use in Kosovo in at least three cases.

In the Agency’s inspections, it was found that these cameras or similar devices were installed in three enterprises, two of which are public.

One of the cases is Telekom of Kosova, which had set up a fingerprint control system to supervise the attendance of employees at work.

After the Agency’s inspection, these devices were removed.

According to the commissioner of the Information and Privacy Agency, Krenare Sogojeva Dërmaku, violations of this nature are considered serious and must be terminated immediately by the responsible institutions, while the data obtained in this manner is immediately destroyed.

During the inspection of personal data protection, the Agency’s report lists security cameras as the main issue.

The report finds 107 cases of unlawful installation of the cameras by businesses and institutions.

In the list of legal entities inspected during the last year, irregularities were found in markets, cafes, restaurants, pharmacies, various health centers and even government ministries.

One of the important violations encountered in these inspections is the use of audio cameras.

According to Inspector Arbian Arifi, cameras that record audio in public spaces are prohibited and cannot be used. He has admitted that in some cases regarding public institutions, for example in one case in Gjilan, the security cameras had also recorded the audio.

The inspector adds that during investigation in most premises they found that cameras’ range of view exceeded the space determined for surveillance, while in some cases unauthorized access have been established.

One such example is controlling cameras remotely via phone, which is prohibited under privacy laws.

Commissioner Krenare Sogojeva Drëmaku reminds that phone monitoring is prohibited.

The Information and Privacy Agency has offered guidelines on how to install security cameras in private properties, businesses, but also residential buildings in Kosovo.

In each case, citizens should take into account certain limitations and specifications for the placement of cameras.

IPA has also clarified that in the case of security cameras, audio recording is not allowed.

“As a rule, it is not allowed to install the video surveillance system which can also record the audio, since the main purpose of the camera surveillance installation is the safety of people and property, which means that the voice recording is disproportionate to this purpose and oversteps the fundamental freedoms and rights of the data subject” — the guidelines state.

If citizens want to install a surveillance camera on their private property, they do not have to obtain a permit from the IPA.

However, according to the IPA, it is necessary to meet the criteria provided by the law.

“A warning sign must be placed that the designated space is under video surveillance and that sign must be visible to enable other persons to be informed of the measures. You should also be careful that the view covered by the surveillance camera does exceed the perimeter of your private property” — say the IPA guidelines.

IPA has also indicated the criteria that must be complied with for the video surveillance system in residential buildings.

These criteria are as follows:

  • For the installation of video surveillance systems in residential buildings, the written consent of at least 70% of the residents is required in advance.
  • Video surveillance can be installed only if that is necessary for the safety of people and the security of property.
  • Warning signs must be placed, which must be visible and contain information of the controller.
  • Video surveillance in residential buildings can only monitor the entrance and common areas and not apartment entrances. Video surveillance of the any resident’s apartment or private space is prohibited.
  • Broadcasting via CCTV, public cable television, the Internet or other means of telecommunications, regardless of whether it is done at the time of the recording or later, is prohibited.
  • Footage recorded by the surveillance system must be protected from unauthorized access and/or use and it can not be stored for longer than one month (unless required for legitimate purposes).

The Information and Privacy Agency has also given suggestions for the criteria that should be applied for the placement of security cameras in business premises. According to the Agency, the placement of the cameras must be done pursuant to the Law on Personal Data Protection, which provides that these recordings can be stored for a duration of one month at most, unless otherwise required for legitimate purposes.

The owner who intends to install security cameras in their business premises, according to the IPA, must take the following actions:

  • Make an assessment that the placement of cameras is necessary for a specified purpose which can not be achieved by other means, such as by getting better lighting;
  • Make a decision on the installation of the video surveillance system where they will describe the purpose of the installation, the number of cameras, designate the responsible person and the duration of the storage of the recordings (note, the Law on Personal Data Protection provides that the duration of storage of these records to be one month at most, unless otherwise required for legitimate purposes).
  • Place warning signs which must be visible and contain information of the controller (business).
  • Carefully install this system on the outside of the facility and at the entrance of the facility, but not inside the offices (except for offices where, due to the nature of the work, there is a potential risk for employees).
  • Properly notify employees in writing regarding the video surveillance system and their rights.

The Information and Privacy Agency is an independent agency, responsible for supervising the implementation of the Law on access to public documents and the Law on personal data protection, in order to protect the fundamental rights and freedoms of natural persons regarding the processing of personal data, as well as guaranteeing access to public documents.

This research article was prepared as part of the project “Increasing Civic Engagement in the Digital Agenda — ICEDA” with the financial support of the European Union and the South East Europe (SEE) Digital Rights Network.

The content of this research article is the sole responsibility of Open Data Kosovo and the author and in no way reflects the views of the European Union or the SEE Digital Rights Network.

--

--