Ring Doorbells, Domestic CCTV and GDPR

The Daily Mail reports today that, “A female doctor is set to be paid more than £100,000 after a judge ruled that her neighbour’s Ring smart doorbell cameras breached her privacy in a landmark legal battle which could pave the way for thousands of lawsuits over the Amazon-owned device.”

Dr Mary Fairhurst, the Claimant, alleged that she was forced to move out of her home because the internet-connected cameras are so “intrusive”. She also said that the Defendant, Mr Woodard, had harassed her by becoming “aggressive” when she complained to him.

A judge at Oxford County Court, ruled yesterday that Jon Woodard’s use of his Ring cameras amounted to harassment, nuisance and a breach of data protection laws. The Daily Sage goes on to say:

“Yesterday’s ruling is thought to be the first of its kind in the UK and could set precedent for more than 100,000 owners of the Ring doorbell nationally.”

Before Ring doorbell owners rush out to dismantle their devices, let’s pause and reflect on this story. This was not about one person using a camera to watch their house or protect their motorbike. The Defendant had set up a network of cameras around his property which could also be used to watch his neighbour’s comings and goings. 

Careful reading of the judgement leads one to conclude that the legal action brought by the Claimant was really about the use of domestic cameras in such a way as to make a neighbour feel harassed and distressed. She was primarily arguing for protection and relief under the Protection from Harassment Act 1997 and the civil tort of nuisance. Despite the Daily Mail’s sensational headline, the judgement does not put domestic CCTV camera or Ring doorbell owners at risk of paying out thousands of pounds in compensation (as long as they don’t use the cameras to harass their neighbours!). However, it does require owners to think about the legal implications of their systems. Let’s examine the data protection angle.

Firstly, the UK GDPR can apply to domestic CCTV and door camera systems. After all, the owners of such systems are processing personal data (images and even voice recordings) about visitors to their property as well as passers-by and others caught in the systems’ peripheral vision.  However, on the face of it, a domestic system should be covered by Article 2(2)(a) of the UK GDPR which says the law does not apply to “processing of personal data by an individual in the course of purely personal or household activity.” Recital 18 explains further:

“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.”

The judge in this case concluded that the camera system, set up by the Defendant, had collected data outside the boundaries of his property and, in the case of one specific camera, “it had a very wide field of view and captured the Claimant’s personal data as she drove in and out of the car park.” This would take the system outside of the personal and household exemption quoted above, as confirmed by the Information Commissioner’s CCTV guidance:

“If you set up your system so it captures only images within the boundary of your private domestic property (including your garden), then the data protection laws will not apply to you.

But what if your system captures images of people outside the boundary of your private domestic property – for example, in neighbours’ homes or gardens, shared spaces, or on a public footpath or a street?

Then the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) will apply to you, and you will need to ensure your use of CCTV complies with these laws.”

Once a residential camera system comes under the provisions of the UK GDPR then of course the owner has to comply with all the Data Protection Principles including the obligation to be transparent (through privacy notices) and to ensure that the data processing is adequate, relevant and not excessive. Data Subjects also have rights in relation to their data including to see a copy of it and ask for it to be deleted (subject to some exemptions).

Judge Clarke said the Defendant had “sought to actively mislead the Claimant about how and whether the cameras operated and what they captured.” This suggests a breach of the First Principle (lawfulness and transparency). There were also concerns about the amount of data some of the cameras captured (Fourth Principle).

Let’s now turn to the level of compensation which could be awarded to the Claimant. Article 82 of the UK GDPR does contain a free standing right for a Data Subject to sue for compensation where they have suffered material or non-material damage, including distress, as a result of a breach of the legislation. However, the figure mentioned by the Daily Mail headline of £100,000 seems far-fetched even for a breach of harassment and nuisance laws let alone GDPR on its own. The court will have to consider evidence of the duration of the breach and the level of damage and distress cause to the Claimant. 

This judgement does not mean that Ring door camera owners should rush out to dismantle them before passing dog walkers make compensation claims. It does though require owners to think carefully about the citing of cameras, the adequacy of notices and the impact of their system on their neighbour’s privacy. 

The Daily Mail story follows yesterday’s BBC website feature about footballers attempting to use GDPR to control use of their performance data (see yesterday’s blog and Ibrahim Hasan’s BBC interview). Early Christmas gifts for data protection professionals to help them highlight the importance and topicality of what they do!

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.

%d bloggers like this: