The Court of Justice of the European Union (CJEU) has today published its decision in the case of Ryneš and has found that domestic CCTV which films a public area cannot be exempt from the obligations contained in the EU Data Protection Directive by virtue of the “household exemption”.
Why is this decision so significant?
This is the third time this year the CJEU has taken a hard line on the interpretation of EU data privacy law (remember its rulings on the data retention and the right to be forgotten?). The CJEU’s most recent decision also has major implications, not for only domestic users of CCTV cameras who will now need to ensure that their use of any footage which contains images of identifiable individuals complies with the data privacy rules, but also in the context of the ‘Internet of Things’ (IoT) (i.e. all “smart things” such as wearable technology and connected devices that monitor and communicate with our homes, cars, work environment and physical activities).
The decision of the CJEU is hardly surprising, in light of the guidance issued earlier this year by the Article 29 Working Party on the IoT. Here the EU data protection regulators expressly stated that the household exemption is of limited application in the context of the IoT, particularly because the business model of IoT implies that user’s data is systematically transferred to device manufacturers, application developers and other third parties. The Article 29 Working Party has also questioned whether the household exemption is sustainable in the context of recent technologies such as social networking services, which allow ordinary citizens to make vast amounts of Personal Data about themselves and others instantly available on a worldwide basis.
However, it is interesting to note that in the Ryneš case, no monitor was installed in connection to the recording equipment, so the recorded images could not be studied in real time. Only Mr Ryneš had direct access to the system and the data – so the system was not ‘connected’ as would typically be the case in the context of the IoT and social networking services.
About the decision
Mr Ryneš, installed and used a camera system located under the eaves of his family home in the Czech Republic. The camera was installed in a fixed position and could not turn; it recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording (not audio), which was stored on a hard disk drive in the form of a continuous loop – as soon as it reached full capacity, the device would record over the existing recording, erasing the old material. Mr Ryneš had installed the camera to protect his property and family and when the windows of his home were broken in 2007, it permitted him to identify two possible suspects. The recording was handed over to the police and relied on in the course of the subsequent criminal proceedings.
One of the suspects complained and the local data protection authority found that Mr Ryneš had infringed Czech data protection law since:
- as a data controller, he had used a camera system to collect, without their consent, the personal data of persons moving along the street or entering the house opposite;
- he had not informed those persons of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and
- as a data controller, Mr Ryneš had not fulfilled the obligation to report that processing to the Office.
Following a decision and subsequent appeal in the local courts, the matter was referred to the CJEU for a preliminary ruling on the following question:
‘Can the operation of a camera system installed on a family home for the purposes of the protection of the property, health and life of the owners of the home be classified as the processing of personal data “by a natural person in the course of a purely personal or household activity” for the purposes of Article 3(2) of Directive 95/46 …, even though such a system also monitors a public space?’
The CJEU’s decision
The CJEU decided that the household exemption could not apply to this activity because:
- the intention of the Directive is to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data. In this connection, and according to settled case-law, the protection of the fundamental right to private life guaranteed under Article 7 of the Charter of Fundamental Rights of the European Union requires that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary.
- Since the provisions of the Directive, in so far as they govern the processing of personal data liable to infringe the right to privacy, must necessarily be interpreted in the light of the fundamental rights set out in the Charter (and as discussed in the Google decision) the Household exception must be narrowly construed.
- This narrow interpretation has its basis also in the wording of the provision, which applies to processing carried out for a ‘purely’ personal or household activity, (not simply a personal or household activity), such as correspondence and the keeping of address books, as noted in recital 12 of the Directive.
What are the practical implications of the CJEU’s decision?
They are massive. The data protection authorities are very likely to see a significant increase in their work load. Not just because they will need to update relevant guidance (such as the Information Commissioner’s Office who has only just recently issued its revised CCTV code of practice) but because this decision also brings within their remit the users of domestic CCTV, as well as every individual who uses their mobile phone or personal video recording device used to make a recording in public (So take care when filming your children in their Christmas production this year).
Only time will tell how this wide reaching decision will be applied to individuals in practice. However, device and product manufacturers, social platforms and third party application developers will no doubt be thinking about the implications of this decision for the users of their products and services and how they can help them to comply with their new, potentially wide reaching obligations going forward.