Big Brother’s Little Brother? The scope of the ‘household exception’ to EU data protection law

Professor Lorna Woods, co-author Steiner and Woods EU Law

Introduction

In the case of Ryneš, the Czech Supreme Administrative Court, Nejvyšší správní soud, referred a question on the meaning of the ‘household activity’ exception under the EU Data Protection Directive to the Court of Justice.  Central to the question was the fact that the processing was by a CCTV camera which was not restricted to the CCTV operator’s own house but covered also the public footpath outside it and the house opposite, when the ‘household exception’ refers to data processed ‘exclusively’ for personal and household purposes.  This is an area in which member States’ practices diverge.  With the exception of Lindqvist, the Court has not dealt with the conditions of applicability for the household exception.  Since then, the EU Charter of Fundamental Rights – which recognises not only the right to private life but also the right to data protection – has acquired legal force by virtue of the Treaty of Lisbon. The Opinion of the Advocate General was handed down today, later than originally scheduled.

Facts

The case arose from the fact that Mr Ryneš installed a CCTV camera on the corner of his house which overlooked not only his front door, but also the public footpath and the opposite house.  His aim was to protect his family and his property, as there had been some previous vandalism to his property.  Shortly after the installation of the CCTV system, the windows of the house were broken once again.  The CCTV footage was used to identify two individuals, one of whom questioned whether the use of the CCTV system was permissible under the Czech data protection law (implementing the directive). 

Question Referred

Mr Ryneš argued that the so-called ‘household exception’ in Article 3(2) of the Data Protection Directive applied.  It states:

2. This Directive shall not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
- by a natural person in the course of a purely personal or household activity.

The Court referred the following question:-

Can the operation of a camera system installed on a family home for the purposes of the protection of the property, health and life of the owners of the home be classified as the processing of personal data ‘by a natural person in the course of a purely personal or household activity’ within the meaning of Article 3(2) of Directive 95/46/EC, even though such a system monitors also a public space?

Opinion of the Advocate General

The Advocate-General made a number of preliminary points, notably that the answer to the question did not depend on whether the data was stored or erased, or whether the data was used or not used.  What seemed central was the existence of surveillance via the CCTV system. The Advocate General noted this case concerned a fixed CCTV system, where the surveillance was constant. The Advocate General commented that he did not intend to go into the area of devices of a different character, such as mobile phones (AG[30]).

The Advocate-General also emphasised that the Charter applied and that the scope of the directive itself – or limitations on its field of application - should be determined in the light of the right to private life and in this the Advocate-General referred back to principles highlighted in Google Spain; specifically the need to ensure the effectiveness of the directive, stating that the approach in Google Spain (para 69) did not just apply in regards to public authorities but in the context of horizontal relations also (AG [28]), subsequently returning to the need to provide a high level of protection a little later in the opinion (AG [39],citing Digital Rights Ireland, the judgment on the invalidity of the data retention Directive).  

The Advocate-General distinguished between the activities of the police (which fall under the first indent in Article 3(2)) and those of Mr Ryneš.  He was not acting as a member of the police force but as a victim even though he did give the images to the police; the exception for policing therefore did not apply to him. The Advocate-General argued that the scope of the directive should not be determined by the subjective views of interested parties but by objective factors and, as with all exceptions and limitations, should be interpreted narrowly - as illustrated by cases such as Satamedia and Lindqvist.  

Returning to Lindqvist, in which AG Tizzano had given the example of correspondence and address book of personal activity, the Advocate General here suggested that the exception should be limited to those activities which are manifestly private and confidential. In the view of AG Jääskinen, this means activities which are closely and objectively connected to an individual’s private life and do not significantly touch on the private life of others. Family life has a distinct link with the domestic environment, though is not limited to the family home but could include a hotel room or a family car (AG [51]). This is more or less the same ground as protected by Art. 7 of the EUCFR.  For the household exception to apply, whether in respect of private life or family life, there is the additional condition of exclusivity. The Advocate General concluded that the video surveillance of others could not be considered exclusively ‘personal’, though it could in principle fall within the scope of domestic activity. Crucially, however, the extension of the surveillance to public space cannot be considered exclusively domestic because of the impact on others, who may wish to preserve their anonymity.  The underlying concern is the impact of living one’s life under a constant state of surveillance, as noted in Digital Rights Ireland (AG [56]).

The Advocate General concluded that the household exception could not be relied on.

Comment

This seems to be another in the recent trend of cases where the Court – or its Advocates General – has interpreted the Data Protection Directive so as to extend or support protection for the data subject.  This can be seen by the attention paid to the recent cases of Google Spain and the repeated references to Digital Rights Ireland.  While there was some reference to Lindqvist when determining the detail of Article 3(2), it played little role in informing the general direction of approach.  While Satamedia allowed a broad approach to the ‘journalistic exception’ in Article 9 of the Directive, which can be contrasted with the narrow approach here, the exception was of a different type – here the effect of Article 3(2) is to take the data outside the field of the directive altogether. Further, Article 9 brings into play the countervailing interest in freedom of expression. No such interest comes into play to extend private life, or to equate vigilantism with police forces (see also Lindqvist on this).

 

A particular theme is that of the impact of constant surveillance on individuals and on society, again following on from recent cases.  In this the EU judiciary seems in line with ECHR case law. Though the Advocate-General discounted Peck (which concerned re-use of security footage from a local council), there is an existing line of law on state surveillance: for example Liberty v. UK and the pending case of Big Brother Watch v. UK (though admittedly there have been critics about the level of consistency of protection – see e.g. Uzun v. Germany concerning GPS tracking).  The Advocate-General specifically excluded the possibility of discussing other surveillance devices such as mobile phones on the basis that they have different characteristics. This seems like an attempt to sidestep controversy as, from the reasoning, the same issues about surveillance and the impact on individuals could arise.  Admittedly, mobile phones tend towards individual instances of use, which may be more likely to fall within one limb or other of the household exception. 

There are new devices, such as Google Glass, which allow for continuous monitoring (until the battery needs recharging at approx. 45 minutes according to Google), without it being clear whether or not such monitoring is taking place.  This is a significant difference from use of a mobile phone for filming, despite Google’s suggestions that Google Glass is no different from a mobile phone (which could in any event fall outside the household exception itself).  If the Court follows the Advocate General, this adds a gloss to the advice given by the UK Information Commissioner (ICO) after Google glass went on sale here. The ICO blog contains the following statement:

If you are using a wearable technology for your own use then you are unlikely to be breaching the Act. This is because the Act includes an exemption for the collection of personal information for domestic purposes. But if you were to one day decide that you’d like to start using this information for other purposes outside of your personal use, for example to support a local campaign or to start a business, then this exemption would no longer apply.

This is not the case for organisations, whose use of wearable technology to process personal information will almost always be covered the Act….

The way this advice is phrased, it is capable of being read as suggesting that ‘personal use’ is non-business use, whereas on the view of the Advocate-General it seems likely to be narrower than that and therefore could trigger data protection procedures.  Data Protection Commissioners have raised concerns about Google Glass and compliance with local laws. Perhaps the ECJ will have more luck in attracting Google’s attention – though the real burden and risk of penalties would seem to fall on users.

Barnard & Peers: chapter 9