Article 4 of the GDPR defines personal data as any information related to an ‘identified or identifiable natural person’ so, in the context of CCTV, if you are identifiable from the images, then those images can be regarded as personal data and the GDPR and Data Protection Act will apply.
Dublin City Council, in seeking to dissuade illegal dumpers in Dublin city centre, used partially blocked-out images of people dumping rubbish in a particular area.
The individuals were identifiable however and, while a stranger would not recognise the perpetrator, they would themselves, and most likely their neighbours would too. The Data Protection Commission contacted the council with their concerns in relation to the project.
A controller of personal data is regarded as the legal entity that controls the purposes and means of processing personal data. The data controller may take the form of an individual or a company. Data controllers are subject to a number of statutory obligations in relation to security, retention, minimisation, and so on.
For video information, the most pertinent obligations are transparency as to the nature of the processing, and the right to access of any individuals filmed. Where a type of video-recording is likely to result in a high risk to the rights and freedoms of natural persons, it may be necessary to undertake a data-protection impact assessment.
There is a common misconception that GDPR applies to all personal data. This is not true. The ‘domestic use exemption’ applies to ‘purely personal or household activities’, meaning that GDPR does not apply to your private daily life.
The boundaries of the ‘domestic-use exemption’ are set out in what is known as the Rynes decision of the European Court of Justice.
This case related to an individual’s home CCTV system, which recorded footage of his front garden. However, it also covered the path outside his home and some of his neighbour’s property. The European Court of Justice found, given the latter coverage outside of the personal property of Mr Rynes, that the domestic-use exemption did not apply.
In this jurisdiction, gardaí have the right to capture personal data as evidence for the purpose of an investigation under section 70 of the Data Protection Act 2018, and a controller of personal data may hold or gather personal data for that purpose under section 41 of the same act.
The use of CCTV as evidence is increasingly a feature of criminal prosecutions in this jurisdiction. The recent prosecution of the murder of Patricia O’Connor is an example. The CCTV system of a neighbour covered part of the property of Mrs O’Connor and was used as evidence in the hearing.
While a strict application of Rynes would indicate that such footage could be excluded from a case due to it having no legal basis, the Irish courts would appear to allow such footage in the criminal context.
On the other hand, the continual recording of a neighbour’s private property may constitute harassment, which may be subject to criminal prosecution.
Here’s lookin’ at you
The increasingly high quality of affordable technologies leaves us with a more complex technical environment to which the law is applied. Technologies such as drones, dashcams, and the ease with which footage can be shared means that the parameters of ‘purely personal or household activities’ will often be determined on a case-by-case basis.
The use of dashcams has been addressed by the Data Protection Commission. The commission suggests the ‘potential implications’ in relation to dashcams for individuals using them.
Without being explicit, this would appear to suggest that, in light of Rynes, if your dashcam is facing out onto the road, even if this is for purely personal use, then you are likely a data controller as per GDPR, meaning that all statutory implications will apply.
In a commercial context, it is clearly the case that an owner of a dashcam system will definitely be regarded as a ‘controller’ of personal data. The European Data Protection Board has made the separate point that a dashcam should only be recording at relevant times – that is, when driving.
In any public spaces, shops, cafés or museums, it is now rare that CCTV is not in place, monitoring the individuals present. This is usually for the purposes of security, which is perfectly legal once the data controller complies with their obligations under GDPR – most importantly, that of transparency to the individual recorded. Once the individual knows of the recording, they may then invoke their right to access the video as a data subject.
It therefore must be reasonably clear to any individual that (a) recording is taking place, (b) the purpose of this recording, and (c) the identity of the ‘data controller’ and any contact information. The normal means of undertaking this is by the placement of appropriate signage in the locus of the recording.
Video killed the radio star
As things stand, it would appear that if a user of a dashcam is determined a controller, whether a private individual or a company vehicle, all obligations of a controller would apply to them, and that similar information should be made available to an individual potentially filmed. Where a dashcam is mounted on a car, this may be done by way of signage on the vehicle.
The practical application of such signage to drones or other smaller video-recording technology may be more complex. The obligation to undertake a data-protection impact assessment may be a factor also.
Outside of criminal investigations, there are other common examples where video footage is used for a purpose that it was not originally intended for.
CCTV may be used for the purposes of staff-monitoring. However, this must not be regarded as ‘excessive processing’, and staff must be informed of the possible uses prior to being recorded.
In the Data Protection Commission’s Case Study 7/2015, it was found that CCTV in an employee canteen in a retail store was ‘excessive processing’. Further, the High Court has recently found that if CCTV is installed for the purposes of ensuring security and health and safety, footage from that system may not be used in the course of any subsequent disciplinary process involving employees.
If planning to install CCTV in such a context, it would be advisable to look into the necessity of undertaking a data-protection impact assessment before doing so.
It has been a recent feature that certain information that has been held or shared for the purposes of litigation has been leaked to the press and published during or after proceedings. It must be clear that the legal basis for handling the personal data in many cases is the fact of the proceedings.
Girls on film
Any publishing or processing outside of that function would constitute a possible breach of the data-protection rights of the individual involved. This may attach to video footage – but similar rules apply to all personal data attained in this process.
Sharing of video can also cause problems – the clear issue being that, once a video is shared on a media platform, it is no longer private. However, there are other concerns also.
Recently, a woman was prosecuted for possession of child pornography in a situation where she had been sent a video on WhatsApp by a person she did not know well, watched it in part, turned it off after seeing that it was inappropriate content, and asked the sender why he had sent it.
However, the video automatically downloaded, and the recipient was later prosecuted for ‘possession’ of child pornography. It is suggested that this would constitute a worrying precedent if followed in the future.
There is a huge amount of video-recording and CCTV in place that we encounter on a daily basis. Not all of it falls within the parameters of what is legal. To undertake video-recording, even in a personal capacity, may now invoke certain obligations as a data controller; in a commercial context, this is a certainty.
The upshot is that there is clearly going to be a significant amount of future litigation revolving around these issues, and people who control the recordings need to be clearly aware of the consequences that their actions (or, indeed, inactions) have in the context of their legal obligations.
Eoin Cannon is a barrister specialising in data protection