Veesion – Court Ruling (France, 2024)

A French company, Veesion created a software for CCTV cameras aimed at detecting suspicious behaviour (gestures) of people. It was based on an algorithmic processing of the images collected by the cameras. The software was popular amongst shops, using it to monitor their commercial premises. The French DPA (CNIL) found the software violated the GDPR, especially the right to object under Article 21 GDPR, and informed the company of the result of the investigation. Also, the DPA mentioned the company clients had to be informed about the outcome of the investigation. In response, the company claimed the DPA's legal reasoning was wrong, mostly because the right to object didn’t apply to the processing of data within the system, pursuant to Article R. 253-6 of the Code of Internal Security ([https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000025503132/ Code de la sécurité intérieure]). Consequently, the company requested the French Supreme Administrative Court (Conseil d’Etat) to suspend the execution of the letter. The court rejected the request as unfounded. The Veesion software was not covered by Article R. 253-6 of the Code of Internal Security, as it was applicable only to certain category of the CCTV, namely the CCTV related to the national security, protection against threats to public security or their prevention. Hence, it didn't cover an algorithmic processing of the images collected by the cameras, which was the functionality of the software. The court didn’t come across with any other reasons to suspend the execution of the letter or making the software compliant with the provisions of law.