Bringing Data Protection Home? The CJEU rules on data protection law and home CCTV

 

Lorna Woods, Professor of Law, University of Essex

 

Does EU data protection law apply to home CCTV cameras? The CJEU addressed that issue yesterday in the judgment in Case C-212/13 Ryneš v. Úřad pro ochranuosobníchúdajů. In its judgment, the Fourth Chamber of the Court agrees with the Advocate-General's  opinion (discussed here), although it avoids some of the difficult questions hinted at in that opinion.

This judgment is significant in two ways. First, it has potentially broader application than just to fixed surveillance devices and could indicate the way data recording devices are used in public spaces even by private individuals.  Second, it forms part of a train of judgments highlighting the significance of data protection for individuals. This significance is perhaps reflected in the fact that eight member States made submissions before the court.

 

Facts

Mr Ryneš and his family had for several years been subjected to attacks by persons whom it had not been possible to identify and the windows of the family home had been broken on several occasions.  As a result, he installed CCTV cameras under the eaves of his house.  The camera was installed in a fixed position and could not turn; it recorded the entrance to his home, the public footpath and the entrance to the house opposite.  The images were recorded to hard drive, and subsequently over-written by new recordings.  A further attack took place but it was possible to identify the suspects because of the CCTV.  The recording was handed over to the police and relied on in the course of the subsequent criminal proceedings.  One of the suspects challenged the use of CCTV in this way: arguing that Mr Ryneš had not complied with the Czech rules implementing the EU Data Protection Directive (DPD). Mr Ryneš essentially argued that the matter did not come within the DPD because of the application of the ‘household exception’ in Article 3(2) DPD. It was the scope of that provision that was referred to the CJEU by the national court.

 

Judgment

The Court began by confirming that CCTV surveillance in principle constitutes the processing of personal data so far as it makes it possible to identify the person concerned [paras 22-25].  The Court then turned its attention to the question of whether the situation escaped the application of the DPD in so far as it is carried out ‘in the course of a purely personal or household activity’ for the purposes of the second indent of Article 3(2) DPD.

The Court emphasised that the purpose of the DPD is to ensure a high level of protection for personal data – seen as part of an individual’s privacy and in so doing referred to Google Spain and Google (C‑131/12), and that, following IPI (C‑473/12, para 39) and Digital Rights Ireland and Others(C‑293/12 and C‑594/12, para 52) restrictions on data protection must apply on so far as strictly necessary [para 28].  Further, the DPD must be construed in the light of the Charter. These factors meant that Article 3(2) DPD should be construed narrowly [para 29]. In the Court’s view this approach followed also from the wording of Article 3(2) in any event: the use of the word ‘purely’ indicates a narrow range of circumstances. Following the reasoning of the Advocate General, the Court held that:

‘To the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46.’ [para 33]

While the DPD applies, the Court noted the possibility of the data controller’s legitimate interests and other possible exceptions in the Directive being taken into account [para 34] although the Court did not elaborate further on such balancing in this instance.

 

Comment

This case is not the first case that has considered the scope of the ‘household exception’: Lindqvist (C-101/01) was the first, which held that the ‘household exception’ did not apply to the posting of information on a web site. According to the Court then, the exception clearly did not apply because the making available of information to an indefinite number of people was not an activity carried out in the course of the private or family life of an individual.  The reasoning here is not clear, and is replete with assumptions (what is the position of an on-line personal diary, for example?). It is perhaps because of the lack of clarity that the Court here did not cite Lindqvist – a rather noticeable omission otherwise.  Rather it, like the Advocate-General before it, went back to first principles about the value and status of data protection. This is the beginning of a stream of data protection cases – arising in very different circumstances – in which the Court has repeatedly ascribed a high value to data protection and the protection of privacy. These cases then should be seen not as isolated, but as part of consistent body of rulings on this point.  What was clearer from the Opinion in this case was the fact that this high value ascribed to the protection of personal data applies as between individuals, as well as constraining the activities of the State.

 

While it might be standard practice to view exceptions as to be construed narrowly, the Court does not give us much information as to how to define this in practice. What we have instead is the assertion that something that impinges on a public space cannot be ‘purely’ private. Balancing of interests takes place as a consequence within the framework of the DPD, essentially by virtue of Article 7(f)DPD, which allows data processing to take place in the legitimate interests of the data controller (in this case, the homeowner interested in protecting his security), balanced against the interests of the data subject (the criminal suspects in this case), rather than by determining whether the DPD applies or not.  This approach probably allows for a more subtle approach to the question of respective interests, although as Article 29 Working Party (the advisory body made up of national data protection supervisors) have noted there is not much consistency across the Member States on how to interpret Article 7(f) DPD (Opinion 06/2014).  There has been concern that, given the openness of its wording, Article 7(f) could be used to undermine the effectiveness of data protection.  Here, presumably protection of private property would weigh heavily (the Article 29 Working Party give security as an example of a ‘legitimate interest’), though the balancing of interests might be different in the context of someone passing in the street and someone visiting the house opposite.

 

This then leads us to the question of when else the principles in Ryneš might apply.  The obvious example is devices capable of recording personal data in public spaces. In addition to CCTV, drones and body worn video used by local authorities and the police in the law enforcement context, we should think here about mobile phones with cameras and devices such as Google glass, which have already been flagged up as potentially problematic in regulatory terms. While Google may have taken steps to improve privacy by design in this device, this does not absolve users from responsibility under the data protection regime if it applies to them.  If we take the approach that even partial public use of a fixed CCTV system cannot benefit from the household exception, still less would a portable, possibly inconspicuous device the purpose of which is uncertain.  The reasoning seems stronger still if we consider the possible onward use of such data – via a website for example (though note the Article 29 Working Party’s view on social networking sites in Opinion 5/2009)– taking into account the view in Lindqvist.  Here it is less clear to see that the legitimate interests of the data controller (ie the person using the device to record and store personal data),assuming the processing were to be deemed ‘necessary’ to pursue that interest, would weigh heavily against a high level of protection for data protection even as between individuals (see views of Article 29 Working Party on freedom of expression arguments in this context).

 

How might this judgment apply to specific cases? A parent would have a legitimate interest in photographing or filming his or her children or friends, although there might be constraints (taking account of the Peck v UK judgment of the European Court of Human Rights, where Article 8 ECHR was breached after CCTV footage of an attempted suicide was shown on national television) on how much such footage might be shared in future. Indeed, broad sharing of those images (for example uploading to a website without privacy protection as in Lindqvist) could constitute an act of processing outside the household exception, which should therefore comply with DPD requirements too.  Photographs taken within the context of private and family life but then used by journalists presumably also fall within the scope of the Directive, although in that case the relevant provision would be the rather general clause which provides for balancing the right to privacy and the freedom of expression.

 

CCTV cameras which fully face public streets and areas open to the public like shopping malls are obviously covered by the Directive, so processing must comply with the requirements of Article 6 of the Directive unless any other exceptions are applicable. CCTV used in workplaces would obviously not fall within the scope of the household exception, so the requirements of the DPD regarding processing would apply. Depending on the nature of the footage there would be further limits on sharing that footage (images of hospital patients, for instance, would reveal sensitive data about their health). Finally, there might be hybrid locations which are both public and private (for instance, a care home is both a residence and a workplace). Given that the Court has emphasised the household exception arises only when the processing can be tied ‘purely’ to private and family life hybrid locations are unlikely to be considered within the household exception.  In the example of the care home, this is especially likely to be true given that the data controller is likely to be the operator of the care home using CCTV for operational reasons, rather than private ones. Of course, it would still be possible to justify the use of CCTV in such cases in accordance with the Directive.

 

Barnard & Peers: chapter 9

 

Big Brother’s Little Brother? The scope of the ‘household exception’ to EU data protection law

Professor Lorna Woods, co-author Steiner and Woods EU Law

Introduction

In the case of Ryneš, the Czech Supreme Administrative Court, Nejvyšší správní soud, referred a question on the meaning of the ‘household activity’ exception under the EU Data Protection Directive to the Court of Justice.  Central to the question was the fact that the processing was by a CCTV camera which was not restricted to the CCTV operator’s own house but covered also the public footpath outside it and the house opposite, when the ‘household exception’ refers to data processed ‘exclusively’ for personal and household purposes.  This is an area in which member States’ practices diverge.  With the exception of Lindqvist, the Court has not dealt with the conditions of applicability for the household exception.  Since then, the EU Charter of Fundamental Rights – which recognises not only the right to private life but also the right to data protection – has acquired legal force by virtue of the Treaty of Lisbon. The Opinion of the Advocate General was handed down today, later than originally scheduled.

Facts

The case arose from the fact that Mr Ryneš installed a CCTV camera on the corner of his house which overlooked not only his front door, but also the public footpath and the opposite house.  His aim was to protect his family and his property, as there had been some previous vandalism to his property.  Shortly after the installation of the CCTV system, the windows of the house were broken once again.  The CCTV footage was used to identify two individuals, one of whom questioned whether the use of the CCTV system was permissible under the Czech data protection law (implementing the directive). 

Question Referred

Mr Ryneš argued that the so-called ‘household exception’ in Article 3(2) of the Data Protection Directive applied.  It states:

2. This Directive shall not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
- by a natural person in the course of a purely personal or household activity.

The Court referred the following question:-

Can the operation of a camera system installed on a family home for the purposes of the protection of the property, health and life of the owners of the home be classified as the processing of personal data ‘by a natural person in the course of a purely personal or household activity’ within the meaning of Article 3(2) of Directive 95/46/EC, even though such a system monitors also a public space?

Opinion of the Advocate General

The Advocate-General made a number of preliminary points, notably that the answer to the question did not depend on whether the data was stored or erased, or whether the data was used or not used.  What seemed central was the existence of surveillance via the CCTV system. The Advocate General noted this case concerned a fixed CCTV system, where the surveillance was constant. The Advocate General commented that he did not intend to go into the area of devices of a different character, such as mobile phones (AG[30]).

The Advocate-General also emphasised that the Charter applied and that the scope of the directive itself – or limitations on its field of application - should be determined in the light of the right to private life and in this the Advocate-General referred back to principles highlighted in Google Spain; specifically the need to ensure the effectiveness of the directive, stating that the approach in Google Spain (para 69) did not just apply in regards to public authorities but in the context of horizontal relations also (AG [28]), subsequently returning to the need to provide a high level of protection a little later in the opinion (AG [39],citing Digital Rights Ireland, the judgment on the invalidity of the data retention Directive).  

The Advocate-General distinguished between the activities of the police (which fall under the first indent in Article 3(2)) and those of Mr Ryneš.  He was not acting as a member of the police force but as a victim even though he did give the images to the police; the exception for policing therefore did not apply to him. The Advocate-General argued that the scope of the directive should not be determined by the subjective views of interested parties but by objective factors and, as with all exceptions and limitations, should be interpreted narrowly - as illustrated by cases such as Satamedia and Lindqvist.  

Returning to Lindqvist, in which AG Tizzano had given the example of correspondence and address book of personal activity, the Advocate General here suggested that the exception should be limited to those activities which are manifestly private and confidential. In the view of AG Jääskinen, this means activities which are closely and objectively connected to an individual’s private life and do not significantly touch on the private life of others. Family life has a distinct link with the domestic environment, though is not limited to the family home but could include a hotel room or a family car (AG [51]). This is more or less the same ground as protected by Art. 7 of the EUCFR.  For the household exception to apply, whether in respect of private life or family life, there is the additional condition of exclusivity. The Advocate General concluded that the video surveillance of others could not be considered exclusively ‘personal’, though it could in principle fall within the scope of domestic activity. Crucially, however, the extension of the surveillance to public space cannot be considered exclusively domestic because of the impact on others, who may wish to preserve their anonymity.  The underlying concern is the impact of living one’s life under a constant state of surveillance, as noted in Digital Rights Ireland (AG [56]).

The Advocate General concluded that the household exception could not be relied on.

Comment

This seems to be another in the recent trend of cases where the Court – or its Advocates General – has interpreted the Data Protection Directive so as to extend or support protection for the data subject.  This can be seen by the attention paid to the recent cases of Google Spain and the repeated references to Digital Rights Ireland.  While there was some reference to Lindqvist when determining the detail of Article 3(2), it played little role in informing the general direction of approach.  While Satamedia allowed a broad approach to the ‘journalistic exception’ in Article 9 of the Directive, which can be contrasted with the narrow approach here, the exception was of a different type – here the effect of Article 3(2) is to take the data outside the field of the directive altogether. Further, Article 9 brings into play the countervailing interest in freedom of expression. No such interest comes into play to extend private life, or to equate vigilantism with police forces (see also Lindqvist on this).

 

A particular theme is that of the impact of constant surveillance on individuals and on society, again following on from recent cases.  In this the EU judiciary seems in line with ECHR case law. Though the Advocate-General discounted Peck (which concerned re-use of security footage from a local council), there is an existing line of law on state surveillance: for example Liberty v. UK and the pending case of Big Brother Watch v. UK (though admittedly there have been critics about the level of consistency of protection – see e.g. Uzun v. Germany concerning GPS tracking).  The Advocate-General specifically excluded the possibility of discussing other surveillance devices such as mobile phones on the basis that they have different characteristics. This seems like an attempt to sidestep controversy as, from the reasoning, the same issues about surveillance and the impact on individuals could arise.  Admittedly, mobile phones tend towards individual instances of use, which may be more likely to fall within one limb or other of the household exception. 

There are new devices, such as Google Glass, which allow for continuous monitoring (until the battery needs recharging at approx. 45 minutes according to Google), without it being clear whether or not such monitoring is taking place.  This is a significant difference from use of a mobile phone for filming, despite Google’s suggestions that Google Glass is no different from a mobile phone (which could in any event fall outside the household exception itself).  If the Court follows the Advocate General, this adds a gloss to the advice given by the UK Information Commissioner (ICO) after Google glass went on sale here. The ICO blog contains the following statement:

If you are using a wearable technology for your own use then you are unlikely to be breaching the Act. This is because the Act includes an exemption for the collection of personal information for domestic purposes. But if you were to one day decide that you’d like to start using this information for other purposes outside of your personal use, for example to support a local campaign or to start a business, then this exemption would no longer apply.

This is not the case for organisations, whose use of wearable technology to process personal information will almost always be covered the Act….

The way this advice is phrased, it is capable of being read as suggesting that ‘personal use’ is non-business use, whereas on the view of the Advocate-General it seems likely to be narrower than that and therefore could trigger data protection procedures.  Data Protection Commissioners have raised concerns about Google Glass and compliance with local laws. Perhaps the ECJ will have more luck in attracting Google’s attention – though the real burden and risk of penalties would seem to fall on users.

Barnard & Peers: chapter 9