As expected the European Court of Justice (ECJ) judgement on the domestic purpose exemption followed the Advocate General’s reasoning (see my previous blog). The Court concluded that personal data collected from a public space by a home CCTV system (e.g. from the road outside the home) does not qualify for the domestic purpose exemption.
This blog explores what I think this judgement means in practice (e.g. for householders, the insurance industry).
In summary, like any other CCTV, “domestic” CCTV surveillance has now to adhere to the usual data protection norms (e.g. signage, notification etc). Note that the recently issued CCTV Code of Practice from the ICO is likely to be amended; the Code admits that “The ICO will review its position on this aspect of domestic use (of CCTV) when the CJEU issues its final judgment. This may lead to the ICO updating this code or issuing supplementary guidance”.
The key conclusions of the ECJ judgment are:
“…the image of a person recorded by a camera constitutes personal data … inasmuch as it makes it possible to identify the person concerned...” and that “…surveillance in the form of a video recording of persons, as in the case before the referring court … constitutes …the automatic processing of personal data” (Paragraphs 22 and 25).
“As is clear from Article 1 … and Recital 10 …(that) .. Directive 95/46 is intended to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data…. the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed”. (Paragraphs 27 and 29; my emphasis).
“Consequently… the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity...” (Paragraph 35; my emphasis).
Impact of the judgement
The following are my conclusions as to what this judgment means in practice.
Those selling domestic CCTV systems, drones (one of the nation’s “must have” Xmas present if press reporting is correct) or promoting the use of CCTV (e.g. in relation to insurance; see next bullet point) should provide advice that such systems can be fully subject to the Data Protection Act if they monitor public spaces and capture details of individuals, especially if these images are posted on the Internet or disclosed to third parties.
Drivers of cars who install monitoring devices just in case the images are needed by an insurance company or police (e.g. in the event of a motoring accident), cannot rely on the domestic purpose exemption. The same goes for cyclists with helmet cameras to record road incidents for evidential purposes.
Those who use domestic cameras to undertake surveillance of “nuisance” children from a housing estate or neighbours who allow their dogs to foul the footpath, where the intention is to copy the footage to a Local Authority for enforcing anti-social behaviour legislation, cannot rely on the domestic purpose exemption.
Those taking images of women entering an abortion clinic in order to display images on the Internet in order to “shame” those women similarly cannot rely on the domestic purpose exemption.
Why do I think the above? Well the scenarios above meet all the criteria identified by the ECJ (monitoring of a public space followed by likely disclosure to the public or to the authorities). The disclosure is essential in order to provide evidence that the recording has taken place; in Ryneš the tipping point for the legal action was that CCTV images were disclosed to the police.
If “domestic” CCTV images were also to be posted on the Internet, then a domestic purpose “double whammy” would happen. The domestic purpose exemption would not apply for reasons of Ryneš as well as Lindqvist (see references; Lindqvist is the ECJ ruling that determined the domestic purpose exemption was did not apply to personal data posted on a website).
What about parents taking camcorder images at those nativity plays at a primary school; a common practice at Xmas? Well I think that this is a likely “no change” so long as the recorded images are not published (e.g. on YouTube). I state this because paragraph 32 of the judgment states:
“Accordingly, so far as natural persons are concerned, correspondence and the keeping of address books constitute, in the light of Recital 12 to Directive 95/46, a ‘purely personal or household activity’ even if they incidentally concern or may concern the private life of other persons”.
I think that so long as the recorded images of the school play are not made public (i.e. they remain “exclusively personal or domestic”; Recital 12 of Directive 95/46), then it can be argued that the recording is incidentally capturing other members of the cast. Note that if the images are kept private, then there is no evidence in the public domain that the recording of personal images ever successfully took place.
What about the use of domestic CCTV to watch neighbours who are sunbathing in their back-garden? Well I think that if the judgment restricts the surveillance of public spaces, then the surveillance of a private place for a purpose which involves invading another individual’s private space, will also fall outside the domestic purpose exemption. This is because the exemption, to use the words of the judgment, “must be narrowly construed” (quoted above).
However, having said this there is a high evidential hurdle to jump. For instance, how do you prove your neighbour is undertaking this kind of surveillance activity without having the evidence (e.g. access to a copy of actual recorded images)?
This is why a disclosure of images to a third party (e.g. to the Police) or posting the material on the Internet are important practical components associated with this judgement, as such disclosure provides the evidence that the images were actually made. Without such evidence, it will be difficult to prove that any processing of personal data has taken place, a necessary precursor if one is to claim that there has been a breach of the Act.
In addition, if someone posts the images anonymously on the web, then it is going to be difficult to find the responsible data controller. The only recourse the data subject would then have would be to that much maligned “right to be forgotten” (Google Spain); but that is another story!
Finally, there is the problem with notification and the £35 fee. Technically households that have CCTV in similar circumstances to Ryneš are processing personal data without being notified or an applicable exemption from notification; as readers know, failure to notify is currently an offence. The same problem arises if personal data are posted on the Internet following Lindqvist (and I suspect this notification problem is a major reason for the ICO ignoring Lindqvist).
To resolve this problem, I point out is that the Government has powers to modify notification requirements or create new exemptions to notification. In my view, such an exemption is now needed to decriminalise a large section of the population who are wholly unaware that they are committing a crime (e.g. those who post images on Facebook; households that already have domestic CCTV).
However, such a notification exemption does not negate other aspects of the Act. For instance, the ICO can advise, enforce and issue Monetary Penalty Orders depending on the seriousness of any “domestic processing incident”. And that is how it should be.
References associated with this blog
11th December 2014: Judgment in Case C-212/13; Ryneš. http://curia.europa.eu/juris/liste.jsf?num=C-212/13
6th November 2003: Judgment in Case C-101/01; Lindqvist. http://curia.europa.eu/juris/liste.jsf?language=en&num=C-101/01
13 May 2014: Judgment in Case C-131/12; Google Spain and Google. http://curia.europa.eu/juris/liste.jsf?num=C-131/12
ICO’s Data Protection Code of Practice for Surveillance Cameras and Personal Information: https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf
Previous blog: D-Day for the Domestic Purpose exemption and the use of CCTV installed at home. http://amberhawk.typepad.com/amberhawk/2014/12/d-day-for-the-domestic-purpose-exemption-and-the-use-of-cctv-installed-at-home.html