Breach of Data Protection Law
Doorbell cameras can give homeowners peace of mind over burglary concerns and are a convenient way for many to manage their deliveries.
However, a court has recently upheld a claim that their use was a breach of data protection law, and with the risk of a substantial fine this carries, how concerned should we be with this latest ruling?
Background
The dispute arose between neighbours, Mr Woodard and Dr Fairhurst, over concerns that Mr Woodard’s doorbell camera (and other home security cameras) captured images of Dr Fairhurst’s house, garden and parking space. Two of the cameras in question were Amazon’s ‘Ring’ security spotlight camera and Amazon’s Ring doorbell, both of which can record images and audio.
Mr Woodard purportedly installed the cameras in prominent places to deter burglars after he feared his car would be stolen. Dr Fairhurst claimed that the camera’s and Mr Woodard’s actions amounted to:
- harassment;
- a nuisance; and
- where a breach of data protection laws.
The Judge upheld the claims for harassment and breach of data protection, and Mr Woodard now faces being issued with a substantial fine (up to £100,000). Whilst the actions of Mr Woodard may amount to harassment – the question now arises as to whether the use of the cameras is a breach of data protection laws and what this means for those who own and operate such cameras?
What is the law on data protection?
The Data Protection Act 2018 provides that individuals shall be protected by the UK GDPR: the main aim of which is to set out protections for individuals as to how, when and for what purpose their personal data can be collected and processed by others.
Personal Data is broadly defined and covers any information relating to an identified or identifiable living individual, i.e. someone who can be identified directly or indirectly from such information. In this instance, the video images and audio files collated by the devices were deemed personal data.
The Judge, in this case, considered the application of data protection laws and concluded that Mr Woodard was a data controller who had failed to process the data lawfully and in accordance with data protection law.
The question as to whether Mr Woodard can or cannot be deemed a data controller is crucial in this case. The GDPR and the Data Protection Act 2018 expressly state that they do not apply to those acting in the course of purely personal or household activities. Fundamentally, the issue of whether Mr Woodard was acting in a personal capacity (and therefore whether the Data Protection Act and UK GDPR even apply to this case) was not considered by the court.
Also, witness evidence presented by Mr Woodard that he had sought guidance from the Information Commissioner’s Office (the ICO) (the UK’s data protection regulatory body) advising that he had no obligations under data protection law as he is an individual acting in a private capacity were dismissed by the court.
There is a strong argument that Mr Woodard was using the doorbell camera in a private capacity to protect his property with no connection to any commercial activity, particularly as he was not selling or transmitting the data he recorded to any third party. Following this argument, it would have meant that the Data Protection Act 2018 and UK GDPR would not have been applicable to the case, and therefore Mr Woodard would not be deemed a data controller who is capable of breaching such law in the first instance. Dr Fairhurst would therefore have failed to establish a claim of breach of data protection law and received redress by way of the harassment claim only.
Given that there is a strong argument that the finding in this case is potentially an error in law, and therefore an anomaly, confirmation as to whether Mr Woodard intends on appealing such decision is awaited. In the interim, the case does provide food for thought as to where the line between acting in a personal capacity or a commercial one will be drawn?
Who may be affected by this case?
Should similar cases also be caught by data protection laws, this could have implications for those using other technological devices that collect personal data in a private setting, for example, smartphones, dashcams, and GoPro’s or similar cameras.
The case also presents as a strong reminder to commercial entities who collect personal data and who have privacy policies in place to ensure that such documents cater for data collated by way of video and audio devices, including:
- Residential landlords – whose tenants may install these types of devices at their properties;
- Commercial landlords who operate CCTV systems at their properties generally;
- Cloud storage providers – as a controller of any data recorded at properties; and
- Haulage, logistic and transport providers who use dashcams within their vehicles.
Whilst we would expect such entities to have existing data protection and privacy notices in place, we would recommend that such documents be reviewed and updated to ensure they keep pace with the emerging technology that has become widely available to consumers.
Going forward
Whilst the decision by the court cannot set precedent as it was heard in the County Court (and therefore cannot dictate how all other similar cases should be treated), this case undoubtedly raises serious considerations for all those who own similar doorbell-cameras and the legal implications this may pose as to what is deemed acceptable in domestic surveillance.
Until further commentary is received either from the ICO or the court should the case be appealed, it is recommended that owners of such devices be on the side of caution. Even if a device’s settings can be toggled to be ‘off’ until activated by proximity within a certain distance, it is worth considering the extent of the radius and range of the audio and video captured once activated. In this case, the surveillance covered a large segment of the neighbours’ property, and the audio recording range in particular (40ft) was deemed ‘excessive’.
The finding in this case comes after years of developing case law in the data protection and privacy arena. Whilst there is no specific privacy law within the UK, the question now arises as to whether such legislation is required to ensure that the rights and protections of individuals within the UK are protected whilst the intrusive nature of technology continues to expand exponentially.
Here to help
Our team of Data Protection Solicitors are able to advise you on the data protection aspects of your business and provide you with the appropriate documentation to ensure your compliance. If you have any more questions or would like further information, you can contact us below.