The Court of Justice of the European Union has ruled in Case 212/13 František Ryneš v Ú?ad pro ochranu osobních údaj? that those installing domestic CCTV cameras are subject to the duties associated with data protection legislation. It should be noted however that, contrary to some extreme interpretations of the judgment, the Court has not banned such CCTV but has emphasised that its use may be permissible in pursuit of the controller’s legitimate interests.
In the case before the CJEU, Mr Ryneš and his family had been subjected to a number of attacks by unknown persons, and on several occasions the windows of their house were broken. In response to those attacks, Mr Ryneš installed a surveillance camera on the family home, which filmed the entrance, public footpath and the entrance to the house opposite.
During the night of 6 to 7 October 2007, a window of the family home was broken by a shot from a catapult. The recordings made by the surveillance camera were handed over to the police and made it possible to identify two suspects, who were subsequently prosecuted before the criminal courts.
However, one of the suspects disputed before the Czech Office for the Protection of Personal Data the legality of the processing of the data recorded by Mr Ryneš’ surveillance camera. The Office found that Mr Ryneš had in fact infringed the personal data protection rules and fined him. In that connection, one of the points made by the Office was that the data on the suspect had been recorded without his consent while he was on the public footpath in front of Mr. Ryneš’ house.
The Nejvyšší správní soud (Supreme Administrative Court, Czech Republic), hearing the appeal in the dispute between Mr Ryneš and the Office, referred to the CJEU the question of whether the recording made by Mr Ryneš for the purposes of protecting the life, health and property of his family and himself (that is to say, the recording of personal data relating to the individuals launching an attack on his house from the public footpath) constitutes a category of data processing that is not covered by the directive, on the grounds that that recording was made by a natural person in the course of purely personal or household activities.
The CJEU held that the term ‘personal data’ as used in the Directive encompasses any information relating to an identified or identifiable natural person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to one or more factors specific to his physical identity. Consequently, the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned.
Similarly, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.
Secondly, the Court finds that the exception provided for in the directive in the case of data processing carried out by a natural person in the course of purely personal or household activities must be narrowly construed. Accordingly, video surveillance which covers a public space and which is accordingly directed outwards from the private setting of the person processing the data cannot be regarded as an activity which is a ‘purely personal or household activity’.
In applying the Directive , the national court must, at the same time, bear in mind the fact that that directive makes it possible to take into account the legitimate interest of the person who has engaged in the processing of personal data (‘the controller’) in protecting the property, health and life of his family and himself.
Specifically, firstly, one of the situations in which personal data processing is permissible without the consent of the data subject is where it is necessary for the purposes of the legitimate interests pursued by the controller. Secondly, the data subject need not be told of the processing of his data where the provision of such information proves impossible or would involve a disproportionate effort. Thirdly, Member States may restrict the scope of the obligations and rights provided for under the Directive if such a restriction is necessary to safeguard the prevention, investigation, detection and prosecution of criminal offences, or the protection of the rights and freedoms of others.
The formal ruling was as follows:
The second indent of Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.
For the full text of the judgment, click here.
Laurence Eastham writes:
This feels like a set of facts that cried out for a common-sense dodge of the issues – a set of facts written by the enemies of data protection to make the whole of data protection look bad. The Court’s conclusions seem unchallengeable in law – the result seems indefensible in practice. I can see the Daily Mail headline now.
The catch is that even if, as I suspect, the legitimate interests element is exploited to the max, it would still seem to leave numerous users of protective domestic CCTV in breach of data protection law if they have failed to notify. That’s a lot of offenders. The data protection regime was not intended for such people. Here’s another item for the list of things that need to be dealt with in the reform package, and yet another reason for those involved with it to get a move on.