In its judgement of 11 December 2014 (Case C-212/13 František Ryneš v Úřad pro ochranu osobních údajů) the Court of Justice of the European Union (CJEU) had to answer “a very precise” question [to use the words of Advocate General JÄÄSKINEN]:
“Can the operation of a camera system installed on a family home for the purposes of the protection of the property, health and life of the owners of the home be classified as the processing of personal data “by a natural person in the course of a purely personal or household activity” for the purposes of Article 3(2) of Directive 95/46 …, even though such a system also monitors a public space?”
To put the question into context, Mr Ryneš (whom we will call Mr R) had “installed and used a camera system located under the eaves of his family home. The camera was installed in a fixed position and could not turn; it recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on recording equipment in the form of a continuous loop, that is to say, on a hard disk drive. As soon as it reached full capacity, the device would record over the existing recording, erasing the old material. No monitor was installed on the recording equipment, so the images could not be studied in real time. Only Mr R had direct access to the system and the data.”
Mr R had installed the camera system to protect the “property, health and life of his family and himself” as a result of several attacks on his home. After the installation of the camera system a further attack took place and the camera system allowed the identification of 2 suspects. The recording was handed over to the police and criminal proceedings were initiated. However the 2 suspects complained about the lawfulness of the installation of the camera system before the Data Protection authority, which found that the installation was in breach of Czech data protection law.
The judgement of the CJEU is relatively short and echoes the opinion of the Advocate General. After finding that the image of a person recorded by a camera constitutes personal data and that video surveillance in the form of a video recording of persons constitutes automatic processing, the CJEU holds that Article 3(2) of the Data Protection Directive must be narrowly construed so that:
“the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision”.
2 points are worth mentioning:
- The application of the Data Protection Directive to the facts at hand does not mean that the operation of a camera system both on private and public premises is per se unlawful. In fact it is likely that such an operation would be justified on the ground of the legitimate interest of the data controller. The Advocate General says that “[a]s for the lawfulness of data processing in the form at issue in the main proceedings, I believe that it may be lawful under Article 7(f) of Directive 95/46…. In the case currently under consideration, it seems to me that the activity pursued by Mr R was intended to protect his enjoyment of other fundamental rights, such as the right to property and the right to family life”.
- By excluding the qualification of “purely personal or household activity” in this case, the CJEU implicitly recognises that the private operation of a camera system targeting both private and public premises for the purposes of identifying criminal offenders and communicating the information to law enforcement forces falls within the remit of the Data Protection Directive as it is not an “activity of the State in areas of criminal law”. [To refresh memories, Article 3(2) excludes from the scope of the Data Protection Directive “the activities of the State in areas of criminal law”]. In other words a private individual installing and operating a camera system is not acting as a state agent. The Advocate General states it expressly: “I should point out that the case before the referring court does not concern State security, or the activities of the State in areas of criminal law, which could come within the exception laid down in the first indent of Article 3(2) of Directive 95/46, even though the collected data were ultimately handed over to the authorities. Mr R acted as a private individual who was a victim of a criminal offence and not as an officer of the law”.
Such a solution is quite interesting in particular if we try to extrapolate the holding of the CJEU in the context of online communications, as private actors such as Internet intermediaries are often called upon to detect online criminal activities and communicate with law enforcement forces. As mentioned in a previous post though [see here], the monitoring activity of Internet intermediaries is “slightly” more problematic as it potentially violates the principle of confidentiality of communications [Peep Beep!]. And the Article 29 Working Party seems to be of the opinion that to limit the scope of this principle of confidentiality a clear legal basis is necessary [see the working document on surveillance of electronic communications for intelligence and national security purposes WP228].
For those based in the UK it is also worth noting that on 16 December the UK Surveillance Camera Commissioner published his first annual report for the period 2013 to 2014. In the report, the Surveillance Camera Commissioner confirms that he will issue guidance on the use of domestic CCTV systems following an increase in the number of complaints regarding them.