Last week a Scottish
court issued a judgment in a case where damages were sought for breaches of the
Data Protection Act 1998 (DPA) in relation to domestic CCTV and surveillance
equipment. Whilst, as a sheriff court decision, the court’s judgment is not
binding on other courts, the case does consider a number of interesting issues.
Background
Woolley & Woolley v Akbar or Akram (Woolley) centred
on two neighbours who each owned properties in a semi-detached house in
Edinburgh, one above the other.
After their
relationship broke down in 2013, both neighbours installed surveillance
equipment.
Unlike the pursuers,
whose CCTV equipment covered only their own property, the defender’s
surveillance equipment had been positioned so as to cover the pursuer’s garden
and entrance to their property.
The defender also
installed audio recording boxes which were able to pick up conversations in the
pursuers’ garden and (it was feared) inside the pursuers’ property itself.
The justification given
by the defender was that the equipment was installed to capture any
altercations between the parties.
After three
(unsuccessful) attempts by the pursuers to limit the extent of the defender’s
surveillance and to obtain copies of the personal information processed by the
defender, the matter, along with other disputes, came before the courts.
Decision
The Sheriff held
that the defender had been a data controller for the purposes of the DPA since
installation of the equipment in 2013, despite only registering as such in
2015.
In terms of the
duty owed to data subjects (including the pursuers), the Sheriff held that the
defender had committed multiple breaches of the DPA, which can be broadly
summarised as follows:
- the processing was not fair or lawful (a
breach of the first data protection principle); - the surveillance was ‘extravagant,
highly intrusive and not limited in any way’ and no adequate justification had
been given (a breach of the third data protection principle); and - the data collected was kept for longer
than was necessary (a breach of the fifth data protection principle).
The pursuers were
awarded approximately £17,000 in compensation.
The domestic purposes exemption
The case is the
latest to consider the application of the EU data protection laws to the activities
of private individuals and the exemption in relation to processing for purely
personal or household activity (the “domestic purposes exemption”).
In 2014, the Court
of Justice of the European Union (CJEU) gave a significant
ruling in the Ryneš case, which confirmed that an
individual would not be able to rely on the domestic purposes exemption where
the surveillance also monitors a ‘public space’. This applies regardless of the
party’s intentions, and prompted the ICO to update its code
of practice for surveillance.
Whilst surveillance
that also monitors a public space does not fall within the domestic purposes
exemption, the ECJ noted that this did not automatically mean such processing
would be a breach of data protection law, if it could be justified.
Interestingly there
was no reference in Woolley to the
ruling in Ryneš, but it does
highlight the risks of individuals using surveillance equipment for personal
reasons. It also provides some guidance on the meaning of a ‘public space’, which
in this case was interpreted to mean any space that is beyond the boundary of an
individual’s own private property.
Depending on the
nature of activities, many householders using CCTV may be unaware that they
qualify as data controllers and fall within the scope of the DPA.
Breach of the first principle
The first data
protection principle requires that data shall be processed fairly and lawfully
and, in particular, shall not be processed unless at least one of the
conditions in sch 2 is met.
The court found
that the defender had failed to provide the pursuers (or any third parties
visiting the premises) with the information set out in para 2(3) of Part II of sch
1 to the DPA. That is the requirement to provide notice of the identity of the
data controller, the purposes for which the data are intended to be processed,
and any other information which is necessary to enable the processing to be
fair. Whilst the presence of the equipment may have been obvious, the purpose
and extent of the surveillance was not.
The court also
found that the data controller had failed to meet any of the conditions set out
in sch 2. The defender did not satisfactorily explain or justify its use of the
surveillance equipment. In the absence of such justification, the court held
that the defender could not rely upon condition 6 (the legitimate interests
condition) as the defender could not show that such extensive surveillance was
necessary for the purposes of the defender’s legitimate interests and that the
processing did not prejudice the rights and freedoms or legitimate interests of
data subjects (ie the pursuers and others visiting the property).
Breach of the third principle
The third data protection
principle requires that data shall be adequate, relevant and not excessive to
the purpose or purposes for which they are processed.
The defender led no
evidence attempting to explain the surveillance and justify the level of
intrusiveness. In the absence of any evidence to the contrary, the court found
that the use of CCTV and surveillance equipment pointed at the pursuer’s
property was ‘extravagant and unjustified’.
In this case, the surveillance
equipment apparently operated continuously, even when the defender was not at
the premises. The apparent ability of the audio-recording equipment to record
conversations in the pursuers’ house and private garden was considered particularly
intrusive.
Breach of the fifth principle
Finally, the court
held that the defender had also breached the third data protection principle
(not to retain data for longer than is necessary).
The defender
claimed that the hard disk overwrote itself every five days. The court found,
however, that no active assessment had been made by the defender as to how long
data should be retained. Given the stated purpose (for recording confrontations
between the neighbours), even five days was excessive.
Approach to compensation
Prior to Vidal-Hall v Google Inc.,
it was understood that there was a requirement under the DPA for individuals
claiming compensation to show pecuniary loss. A claim could not be awarded on
the basis of distress alone. However, Vidal-Hall
ruled that this approach was incompatible with the EU Directive 95/46/EC (the
Directive which the DPA implements into UK law).
In the absence of
clear financial loss, quantification of damages for distress can be difficult,
and is a developing area.
In Woolley, the pursuers claimed (and were
awarded) damages calculated on the basis of £10 per person per day that the
defender operated the CCTV system in breach of the DPA. The judgment does not
provide more detail on the basis of this model and it was acknowledged that no
authority exists for compensation in such circumstances. Indeed, there are
indications (a reference to the claim being a ‘moderate’ basis of claim) that
the court may have been minded to award higher damages if they had been sought.
Conclusion
It is clear in this
case that the defender did not make any real attempt to justify its actions
under the DPA and the ICO’s code of practice for surveillance cameras. In the absence
of such representations and such extensive use of surveillance, it was
difficult for the court to reach any different conclusion in relation to the
alleged breaches of the DPA. For that reason, the court’s specific findings on
the breaches of the first, third and fifth data protection principles may be of
limited relevance.
However, the case
does provide a helpful reminder of the issues to be borne in mind when using
surveillance equipment (whether domestic or otherwise) and the importance of
ensuring that the use of surveillance equipment is justified and proportionate.
The court’s
approach to quantifying damages for distress is also notable, adopting a per
day approach to calculating a monetary amount. It will be interesting to see if
this approach is adopted in future cases as the Vidal Hall principle develops.
Martin Sloan is a partner, and Leigh Gapinski is a solicitor, in
the Commercial Services Division at Brodies LLP (http://www.brodies.com).
A version of this article was originally published on Brodies
TechBlog (http://techblog.brodies.com). Twitter: @lawyer_martin