Lorna Woods, Professor of Law, University of Essex
Does EU data protection law apply to home CCTV cameras? The CJEU addressed that issue yesterday in the judgment in Case C-212/13 Ryneš v. Úřad pro ochranuosobníchúdajů. In its judgment, the Fourth Chamber of the Court agrees with the Advocate-General's opinion (discussed here), although it avoids some of the difficult questions hinted at in that opinion.
This judgment is significant in two ways. First, it has potentially broader application than just to fixed surveillance devices and could indicate the way data recording devices are used in public spaces even by private individuals. Second, it forms part of a train of judgments highlighting the significance of data protection for individuals. This significance is perhaps reflected in the fact that eight member States made submissions before the court.
Mr Ryneš and his family had for several years been subjected to attacks by persons whom it had not been possible to identify and the windows of the family home had been broken on several occasions. As a result, he installed CCTV cameras under the eaves of his house. The camera was installed in a fixed position and could not turn; it recorded the entrance to his home, the public footpath and the entrance to the house opposite. The images were recorded to hard drive, and subsequently over-written by new recordings. A further attack took place but it was possible to identify the suspects because of the CCTV. The recording was handed over to the police and relied on in the course of the subsequent criminal proceedings. One of the suspects challenged the use of CCTV in this way: arguing that Mr Ryneš had not complied with the Czech rules implementing the EU Data Protection Directive (DPD). Mr Ryneš essentially argued that the matter did not come within the DPD because of the application of the ‘household exception’ in Article 3(2) DPD. It was the scope of that provision that was referred to the CJEU by the national court.
The Court began by confirming that CCTV surveillance in principle constitutes the processing of personal data so far as it makes it possible to identify the person concerned [paras 22-25]. The Court then turned its attention to the question of whether the situation escaped the application of the DPD in so far as it is carried out ‘in the course of a purely personal or household activity’ for the purposes of the second indent of Article 3(2) DPD.
The Court emphasised that the purpose of the DPD is to ensure a high level of protection for personal data – seen as part of an individual’s privacy and in so doing referred to Google Spain and Google (C‑131/12), and that, following IPI (C‑473/12, para 39) and Digital Rights Ireland and Others(C‑293/12 and C‑594/12, para 52) restrictions on data protection must apply on so far as strictly necessary [para 28]. Further, the DPD must be construed in the light of the Charter. These factors meant that Article 3(2) DPD should be construed narrowly [para 29]. In the Court’s view this approach followed also from the wording of Article 3(2) in any event: the use of the word ‘purely’ indicates a narrow range of circumstances. Following the reasoning of the Advocate General, the Court held that:
‘To the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46.’ [para 33]
While the DPD applies, the Court noted the possibility of the data controller’s legitimate interests and other possible exceptions in the Directive being taken into account [para 34] although the Court did not elaborate further on such balancing in this instance.
This case is not the first case that has considered the scope of the ‘household exception’: Lindqvist (C-101/01) was the first, which held that the ‘household exception’ did not apply to the posting of information on a web site. According to the Court then, the exception clearly did not apply because the making available of information to an indefinite number of people was not an activity carried out in the course of the private or family life of an individual. The reasoning here is not clear, and is replete with assumptions (what is the position of an on-line personal diary, for example?). It is perhaps because of the lack of clarity that the Court here did not cite Lindqvist – a rather noticeable omission otherwise. Rather it, like the Advocate-General before it, went back to first principles about the value and status of data protection. This is the beginning of a stream of data protection cases – arising in very different circumstances – in which the Court has repeatedly ascribed a high value to data protection and the protection of privacy. These cases then should be seen not as isolated, but as part of consistent body of rulings on this point. What was clearer from the Opinion in this case was the fact that this high value ascribed to the protection of personal data applies as between individuals, as well as constraining the activities of the State.
While it might be standard practice to view exceptions as to be construed narrowly, the Court does not give us much information as to how to define this in practice. What we have instead is the assertion that something that impinges on a public space cannot be ‘purely’ private. Balancing of interests takes place as a consequence within the framework of the DPD, essentially by virtue of Article 7(f)DPD, which allows data processing to take place in the legitimate interests of the data controller (in this case, the homeowner interested in protecting his security), balanced against the interests of the data subject (the criminal suspects in this case), rather than by determining whether the DPD applies or not. This approach probably allows for a more subtle approach to the question of respective interests, although as Article 29 Working Party (the advisory body made up of national data protection supervisors) have noted there is not much consistency across the Member States on how to interpret Article 7(f) DPD (Opinion 06/2014). There has been concern that, given the openness of its wording, Article 7(f) could be used to undermine the effectiveness of data protection. Here, presumably protection of private property would weigh heavily (the Article 29 Working Party give security as an example of a ‘legitimate interest’), though the balancing of interests might be different in the context of someone passing in the street and someone visiting the house opposite.
This then leads us to the question of when else the principles in Ryneš might apply. The obvious example is devices capable of recording personal data in public spaces. In addition to CCTV, drones and body worn video used by local authorities and the police in the law enforcement context, we should think here about mobile phones with cameras and devices such as Google glass, which have already been flagged up as potentially problematic in regulatory terms. While Google may have taken steps to improve privacy by design in this device, this does not absolve users from responsibility under the data protection regime if it applies to them. If we take the approach that even partial public use of a fixed CCTV system cannot benefit from the household exception, still less would a portable, possibly inconspicuous device the purpose of which is uncertain. The reasoning seems stronger still if we consider the possible onward use of such data – via a website for example (though note the Article 29 Working Party’s view on social networking sites in Opinion 5/2009)– taking into account the view in Lindqvist. Here it is less clear to see that the legitimate interests of the data controller (ie the person using the device to record and store personal data),assuming the processing were to be deemed ‘necessary’ to pursue that interest, would weigh heavily against a high level of protection for data protection even as between individuals (see views of Article 29 Working Party on freedom of expression arguments in this context).
How might this judgment apply to specific cases? A parent would have a legitimate interest in photographing or filming his or her children or friends, although there might be constraints (taking account of the Peck v UK judgment of the European Court of Human Rights, where Article 8 ECHR was breached after CCTV footage of an attempted suicide was shown on national television) on how much such footage might be shared in future. Indeed, broad sharing of those images (for example uploading to a website without privacy protection as in Lindqvist) could constitute an act of processing outside the household exception, which should therefore comply with DPD requirements too. Photographs taken within the context of private and family life but then used by journalists presumably also fall within the scope of the Directive, although in that case the relevant provision would be the rather general clause which provides for balancing the right to privacy and the freedom of expression.
CCTV cameras which fully face public streets and areas open to the public like shopping malls are obviously covered by the Directive, so processing must comply with the requirements of Article 6 of the Directive unless any other exceptions are applicable. CCTV used in workplaces would obviously not fall within the scope of the household exception, so the requirements of the DPD regarding processing would apply. Depending on the nature of the footage there would be further limits on sharing that footage (images of hospital patients, for instance, would reveal sensitive data about their health). Finally, there might be hybrid locations which are both public and private (for instance, a care home is both a residence and a workplace). Given that the Court has emphasised the household exception arises only when the processing can be tied ‘purely’ to private and family life hybrid locations are unlikely to be considered within the household exception. In the example of the care home, this is especially likely to be true given that the data controller is likely to be the operator of the care home using CCTV for operational reasons, rather than private ones. Of course, it would still be possible to justify the use of CCTV in such cases in accordance with the Directive.
Barnard & Peers: chapter 9