The presence of CCTV cameras has become an accepted, if not always welcome, part of the background to modern life. Although both the Information and Surveillance Commissioners have provided clear guidance with respect to the use of CCTV by businesses and organisations, “domestic” surveillance has been treated as an exception. Following the decision of the European Court of Justice in the case of Ryneš (C-212/13), this may be about to change.
This recent European Court of Justice judgment relates to the application of data protection principles to private individuals using CCTV cameras to protect their property. Under article 3(2) of the Directive, the data protection principles do not apply where personal data is processed for “purely personal or household affairs.” Previously, the Information Commissioner had considered that this exception, as transposed into section 36 of the Data Protection Act 1998, was relatively broad. He is now reconsidering his position.
The facts before the court
Mr Ryneš’ home had been the subject of attacks by unknown persons which had prompted him to install a CCTV camera. This was attached to his house to record the entrance to his home and the public footpath. The camera ran on a continuous loop recording data until full and then recording over it. His home was subject to another attack after the installation of the camera and he gave the recording to the police to prosecute the offenders. One of the offenders resisted the prosecution on the basis that the surveillance system was not lawful and the national court (in the Czech Republic) referred the question to the Court of Justice to clarify the application of the European Data Protection Directive 1995 (the Directive) to these circumstances.
Finding of the court
The court found that the operation of a CCTV camera system on which images of the public are stored on a continuous recording device (such as a hard disk drive) installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity. Therefore, in short, the use of CCTV in these circumstances is not exempt from the various protections of the Directive.
Although the Directive takes into account the legitimate interests of the owner such as the protection of property, health and life, as an exception to the right to respect for privacy, the court considered that it must be narrowly interpreted.
What this means for domestic CCTV operators
Watch this space. In his first Annual Report, the Surveillance Camera Commissioner identified the use of CCTV within the domestic context as his first future challenge. Just 1 in every 70 CCTV cameras is state owned and with CCTV systems available on the high street from as little as £100, the Surveillance Commissioner noted an upsurge in complaints about the use of domestic CCTV cameras.
The Information Commissioner is currently reviewing his guidance in light of this judgment. However, in the meantime, it is clear that CCTV surveillance which even partially covers a public space and is directed outwards from the private setting of the person must comply with the data protection principles. This is not necessarily straightforward, especially when applying the principles to the domestic context. However, as set out in the Information Commissioner’s code of practice, compliance includes the following:
- Clear information available to anyone who may be captured by the system about the identity and contact details of the operator and the purpose of the CCTV surveillance;
- A process by which anyone captured on the system can access the data;
- Notification to the supervisory authority (the Information Commissioner’s Office) before they are set up.