Livestreaming of funerals, permitted under GDPR?
Earlier this month, the city of Mechelen (Belgium) announced that its cemetery will be equipped with technology which allows funerals to be livestreamed on the internet. This allows relatives and friends who are unable to attend the funeral, to still experience the goodbye of their loved one. This may offer a great solution for people who are immobile or live abroad, but unfortunately it also poses a privacy risk for those who are being filmed during the ceremony.
The livestreaming of funerals in Mechelen provides for an excellent opportunity to take a closer look at the use of cameras and related privacy risks under the General Data Protection Regulation (GDPR), the pan-European privacy legislation which went into effect 25 May 2018.
Although the GDPR is materially similar to the preceding privacy directive (95/46/EG), there are important changes. For example, the fines that can be administered for violating the privacy laws have increased considerably. See our factsheet on the GDPR for more information.
When a camera is being used to film people, this entails processing of their personal data. Under the GDPR, it is required to have a legal basis for such processing activities. The GDPR provides the following legal bases for the processing of personal data (art. 6):
- There is consent of the person whose personal data is being processed (‘the data subject’);
- The processing is necessary for the performance of a contract to which the data subject is party;
- The processing is necessary in order to protect the vital interests of the data subject or another person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public authority;
- The processing is necessary for the purposes of the legitimate interests of the one responsible for the processing (‘the data controller’).
Although ‘consent of the data subject’ may seem like an easy solution, it might be difficult to obtain and register the consent of everyone who is present at the funeral. One might also consider that the funeral home as the data controller may have certain legitimate interests (to enable family and friends to experience the farewell of a loved one from distance), but e.g. the Dutch privacy supervisory authority (Autoriteit Persoonsgegevens) argued otherwise. In a letter to the sector association of Dutch funeral homes, this supervisory authority stated that consent is the only possible legal ground for filming during funerals. Recognising the practical difficulties of obtaining consent of everyone attending as well, the supervisory authority pointed out that there was another relevant provision in the Dutch privacy law (which had been derived from Directive 95/46/EG and is present in the GDPR as well).
If personal data is processed by a natural person in the course of a purely personal or household activity, the GDPR does not apply (Article 2(2)(a)). The Dutch authority considers livestreaming a funeral to family and friends as something that takes place within a personal or household-setting, but only when the following conditions are met:
- The client should explicitly request the funeral director to film the ceremony, it may not be standard procedure;
- Access to the livestream is limited (by means of login-codes, for example) and only the client is to decide who are allowed to watch. The funeral director should stress that only close friends and family should be allowed to watch;
- The security of the website and stream should be appropriate;
- The recordings should only be available for download for the client;
- The recordings should instantly be deleted after they are not available anymore to the people who were allowed to watch the livestream. They should not be available for more than one month.
Although the Autoriteit Persoonsgegevens is a Dutch authority, its perspective on the livestreaming of funerals may also be considered relevant for funeral homes in Belgium, and elsewhere. Whereas e.g. the Belgian supervisory authority (Gegevensbeschermingsautoriteit) appears not to have addressed this specific issue yet, the Dutch authority provides a clear interpretation of the GDPR, including recommendations on how to comply. Furthermore, complying with the guidelines provided by the Dutch supervisory authority may not only minimise the risk of administrative penalties for non-compliance with privacy laws. It will also help funeral homes to provide their services in a manner which substantially protects the privacy of their customers and their loved ones. In turn, this will help prevent data breaches or other incidents which could cause civil liability and other harm to the business and reputation of a funeral home.
Particularly now that privacy protection has become a major concern in the digital age, not only for the supervisory authorities but also for the general public, it could cause quite a stir if footage from a funeral would be leaked. As such, it is important to remember that privacy compliance is not just in the interest of data subjects, but businesses as well.
The conditions for live streaming funeral ceremonies in a way that respects the right to privacy of those attending, are quite specific and show particularly well that privacy questions often require a case-by-case solution. Camera recording can take place with different goals and in different circumstances, which will cause different conditions for privacy compliance. See for example our factsheet on monitoring (including video surveillance) at work. Another prime example of camera use is for surveillance/security, which is often governed by national law as well.
When using a camera to record video images, it is important to assess if that camera use falls within the scope of the GDPR and whether your intended use is permitted.