Just after 5pm on a rainy Tuesday afternoon in July and the doors of Café en Seine have yet to open.
A few people, all in facemasks, gather in the smoking area in front of the restaurant-bar, sheltering from the wet weather.
Above them, two cameras monitor the area overhead.
They’re two of 127 Hikvision surveillance cameras in Café en Seine, according to Create Security Solutions, the company who installed them.
They were put in as part of a big refurbishment of the Dawson Street premises two years ago.
Hikvision cameras were also installed in fellow Mercantile Group restaurant Pichet, says Create’s Managing Director Mark Woods.
Dublin City Council recently blacklisted Hikvision over data protection concerns, after a story about the installation of Hikvision cameras at a city council football pitch in Bluebell.
The cameras, according to the Create Security’s website, are part of an “intelligent monitoring system”.
That means they’re connected to the internet and have extra functions such as thermal imaging and the ability to automatically detect the number of people in a premises.
The cameras can, among other features, monitor the temperatures of customers and staff, says Woods.
“When somebody is in the field of view of the camera, that little red buzzer goes off if they have a high temperature,” says Woods. The purpose of the camera, says Woods, is to give customers and staff peace of mind.
But data privacy experts say they are concerned that people’s temperatures are personal data – giving rise to a host of potential privacy issues.
“Once it’s personal data there’s a whole host of requirements that are triggered for that,” says Simon McGarr, the director of Data Compliance Europe, who offer GDPR advice and consultancy.
Feeling the Heat
The cameras, says Woods, are being used to monitor the temperatures of those that enter the cafe.
“What we’re trying to do there was to provide a system that monitors, [and] that also takes skin surface temperatures which is not an indicator for Covid or anything like that, it’s only one indicator,” says Woods.
Skin surface temperature shows if someone is running a high temperature; it can be taken discreetly when a customer is in a queue and then is shown on a screen to the data controller of the Hikvision cameras in the building, says Woods.
“But also very importantly that’s recorded and contained for 30 days as per the HSE guidelines,” he says.
The temperature, says Woods, is set by the data controller which in this case is 38°C.
If a customer is running a temperature above this, the customer is discreetly brought into a seperate area of the cafe and told to wait 10 minutes, he says. Their temperature is then taken again and if the temperature is again about 38°C, the customer is asked to leave the premises.
Café en Seine haven’t responded to queries about their protocols around monitoring customer’s temperatures.
But on their Instagram page, they responded to queries from a user about whether customer would be able to decline temperature checks and how these checks would take place.
They stated that temperature checks are mandatory.
“If someone has a temperature we have an area they can wait in for ten minutes and then try again but if still too high the second time we will not permit entry,” they said.
The user also noted that customers might have a high body temperature for reasons other than Covid-19. To which, the official account responded: “of course but if your feverish you’re temperature is much higher than a high sitting body temp [sic].”
According to Woods, the smart cameras are also currently used to count the number of people on the premises at Café en Seine.
The cameras can also be used to identify individuals who enter the premises, says Woods. But it’s not clear if that’s being used in this case.
Café en Seine is not the only premises in the Mercantile Group – which also counts The George, Opium, The Mercantile and Whelans amongst its portfolio – that has such cameras. Pichet, a restaurant on Essex Street, also recently installed Hikvision cameras to be used for similar purposes, says Woods.
Neither Café en Seine nor the Mercantile Group have responded yet to email queries or phone calls asking about the cameras – in particular, whether their surveillance network is being used for facial recognition purposes, whether a Data Protection Impact Assessment has been carried out (as required under GDPR), and what the cameras are being used for.
Would You Know?
It’s unclear how much those who choose to celebrate the gradual reawakening of the city’s social scene at Café en Seine, or Pichet, will be alerted to the monitoring system and the data harvested.
Under GDPR, people do have a right to be informed about data processing, says Eoin O’Dell, associate professor of law in Trinity College Dublin and member of the Government Data Forum, set up in 2014 to advise on data protection issues. “What usually happens is you walk in and you see a sign.”
These signs usually say something like: “CCTV cameras are in operation here”, he says. Or, it might be flagged on an app which is likely to be popular in the future, he says.
The right to be told that data is being gathered is one thing. Whether or not that notification is enough to allow the data gatherer to, legally, process that data is another, though.
“The simplest lawful basis [for processing] is consent. I agree that you can process all of this information for all of these purposes,” says O’Dell.
“When you sign up to a social networking platform that’s what you’re doing. You’re agreeing to allow them to process your personal data,” he says.
But a sign telling somebody that CCTV is operating. Is that sufficient consent? Probably not, says O’Dell.
“Consent has to be to be freely given, specific, informed and unambiguous,” he says. That’s a legal requirement from Article 4 of the GDPR.
O’Dell says he thinks that customers should know from a company “what personal data it’s processing, why it’s processing, and third party consent”.
In some cases, says O’Dell, explicit consent is needed under GDPR.
One way of looking at explicit consent, according to the Health Research Board, is that it should leave no room for misinterpretation. O’Dell says it’s unlikely that the act of walking into the pub is freely given, specific, informed and unambiguous consent. “It certainly isn’t an explicit consent.”
McGarr, of Data Compliance Europe, says that this is especially the case when it comes to health data.
A camera attached to a temperature device is different to a thermometer that everybody sucks as they go in, he says. The temperature by itself can’t identify you, says McGarr.
“But a camera and a temperature device seems almost certain to be producing identifiable information and the two pieces of information together mean that both of them would become personal data,” he says.
Under Article 9 of GDPR, it’s prohibited to collect health data, says McGarr, unless you fall under the very narrow exemptions of permission under Article 9.2.
He asks whether there was a Data Protection Impact Assessment (a process designed to identify risks arising out of the processing of personal data) carried out to see whether the data that is being collected by Café en Seine falls under prohibitions outlined under the GDPR.
Café en Seine hasn’t yet responded to queries about who the designated data controller would be, and how long they planned to retain customers’ data.