All Quiet on the Home Front? Home Surveillance and Data Protection
18 December 2014
In František Ryneš (C-212/13), published on 11 December 2014, the Court of Justice of the European Union (“CJEU”) considered whether the ‘personal or household’ exclusion from data protection law applies to the use of home surveillance devices. The Court concluded that an individual who uses CCTV cameras, for home security purposes, may be regulated by EU data protection law if that camera captures footage from a public footpath, even if that footpath is located outside their home.
This decision of the CJEU arose out of a referral from a Czech court. František Ryneš was challenging a decision of the Czech Office for the Protection of Personal Data (“Czech Office”). Mr Ryneš and his family had been subjected to attacks over a number of years, along with damage to the property in which he lived with his family. He was unable to identify the culprits and, in response, set up a video surveillance camera under the eaves of his house. Camera footage was subsequently used to identify his suspected attackers. In the course of their prosecution, one of the suspects challenged the legitimacy of the surveillance evidence, and at this stage the Czech Office became involved. The Czech Office determined that Mr Ryneš had committed a number of offences under Czech Data Protection law. Mr Ryneš challenged this outcome.
Mr Ryneš sought to rely on the exclusion under Article 3(2) of the Data Protection Directive which provides that processing ‘by a natural person in the course of a purely personal or household activity’ is outside the scope of the Data Protection Directive.
Europe Weighs In
The CJEU agreed with the Advocate General in finding that the exclusion was not applicable in this case.
The Court reiterated the need to protect the fundamental right to private life. It followed its previous case-law which, focusing on the protection of privacy, considers that any exemption from the scope of data protection law must be narrowly interpreted. The CJEU also considered the wording of the exclusion – referring to purely personal or household activities – as justifying a narrow interpretation.
The video camera in question captured part of the public footpath outside the home of Mr Ryneš. The CJEU determined that where there is even partial surveillance of a public space, it cannot be regarded as purely personal or household activity and fall within the exclusion from data protection law.
However, at the same time, the CJEU signalled that the surveillance may be justified by the legitimate interests pursued by Mr Ryneš – such as protecting his property, health and life and those of his family.
Ever Expanding Scope
The CJEU’s conclusion, that data protection law applies but that home surveillance may be justified under data protection law, has some interesting implications.
In narrowing the exclusions from data protection law, the CJEU is expanding the scope of data protection law and the set of activities that fall under the supervision of European data protection authorities. The CJEU states that this approach flows from the fact that privacy is a fundamental right under EU law, again demonstrating the human rights based approach increasingly seen in recent European data protection case-law. Such an approach was also seen in the reasoning in the recent Google Spain ‘Right to be Forgotten’ decision. The Advocate General indicated that data protection law ought to be applicable as the Data Protection Directive is specifically intended to strike the appropriate balance between various competing fundamental rights.
The CJEU did not consider in detail whether surveillance in such circumstances is legitimate under data protection law – though it did suggest this could be a possibility, clearly inviting the national court to consider this point. Incidentally, in the past, the Irish Data Protection Commissioner has challenged certain personal security uses of CCTV footage, at least where such footage is placed online.
More broadly, this case shows that even activities that may have traditionally been seen as falling outside of the scope of data protection law (such as the protection of one’s home) now fall within its remit, and are only lawful if they can be justified by reference to the fairly technical rules of data protection law.
The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York.