On 11 December 2014, the Court of Justice of the European Union (CJEU) ruled that domestic use of CCTV surveillance should be strictly limited, and that the exemption in article 3(2) of the Data Protection Directive 95/46/EC for "personal or household activity" does not permit the use of domestic CCTV that also records any public space.
Background
Mr Rynes installed CCTV at his family home in the Czech Republic, which filmed the entrance to his home, the public footpath and the entrance to the house opposite. When his family home was broken into on the night of 6-7 October 2007, the CCTV footage allowed him to identify two possible suspects. The recordings were handed over to the police, who subsequently prosecuted the two suspects before the criminal courts.
One of the suspects complained to the Czech data protection authority that the CCTV footage was unlawful. The authority found that Mr Rynes had infringed Czech data protection law, on the grounds that the suspect had been recorded without his consent, while he was on a public footpath in front of Mr Rynes’ house.
Mr Rynes appealed the decision. The Supreme Administrative Court in the Czech Republic hearing the appeal asked the CJEU whether the CCTV recording made by Mr Rynes, for the purposes of protecting the life, health and property of his family and himself, fell within the household exemption in Article 3(2) of the Directive.
Decision
The CJEU held that the CCTV footage did not fall within the household exemption because it filmed a public space. It ruled that the household exemption must be narrowly construed; that the narrow interpretation has its basis in the wording of the provision, which applies to processing carried out for a "purely" personal or household activity; and that CCTV surveillance which covers a public space and which is accordingly directed outwards from the private setting of the person processing the data cannot be regarded as an activity which is a "purely personal or household activity".
Comment
Article 3(2) of the Directive has been transposed in Ireland by section 1(4) of the Data Protection Acts 1988 and 2003 (the DPAs). It provides that the DPAs do not apply to "personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes".
This decision serves as a reminder that an image of an individual recorded on CCTV constitutes ‘personal data’, and can only be processed with their consent. Accordingly, users of domestic CCTV, and individuals using their mobile phones to take videos in public, must exercise caution when filming, or risk being fined for breaching the DPAs. Indeed, according to a report by the Irish Independent , earlier this year the Irish Data Protection Commissioner (DPC) ordered a crime victim, who had created a website showing CCTV images of criminals breaking into his home, to take down the images or face a €100,000 fine or imprisonment.
Guidance on CCTV issued by the DPC also warns that a neighbour, who objects to images of his or her property being recorded, may be able to take a civil legal action based on the Constitutional and Common law right to privacy.