Is your home CCTV system putting you at risk of a data breach claim?

Many homes across Ireland utilise CCTV cameras as a security measure and to deter possible intruders from entering private residences, however many homeowners may not realise that their CCTV cameras could be infringing on others’ personal data rights.

The General Data Protection Regulation (also known as the GDPR) came into effect on the 25th May 2018, which was incorporated into Irish law through the Data Protection Act, 2018.

The GDPR defines “Personal Data” as any information relating to an identified or an identifiable natural person. This definition includes images taken of a person (for example, if a person’s image is captured through the use of a CCTV camera). Therefore, if a person’s image is captured through a CCTV camera, the owner of the CCTV system may well be required to adhere to data protection laws, as highlighted in the case of Rynes v Urad, which was heard by the Court of the Justice of the European Union (“ECJ”) in 2014. 

In this case, Mr Rynes installed a camera system outside his family home. This camera not only recorded the entrance to his home but also recorded the public footpath and the entrance to the house opposite his home. Mr Rynes had installed the camera as his home had been subjected to several attacks over a number of years and CCTV footage of a subsequent attack to his home was used to initiate criminal proceedings (against the suspects). One of the suspects challenged the operation of Mr Rynes ’ CCTV surveillance system with the Czech Office for Personal Data Protection and queried if this CCTV system was lawful, on the basis that Mr. Rynes was collecting personal data (i.e. images of the suspects) without firstly obtaining their consent, thus amounting to an infringement of data protection laws. The Czech Office upheld the suspect’s complaint and determined that Mr. Rynes CCTV system was unlawful and fined Mr. Rynes.

Mr Rynes subsequently challenged this decision, which has then referred to the ECJ which held that as Mr Rynes CCTV system recorded public spaces (as well as being used to protect his home and family), Mr Rynes could not use the “domestic exception” provided by the Data Protection Directive 95/46/EC (which provides for a “domestic exception”, which permits the use of a surveillance system where it is purely for a person or a household activity).

The Irish Data Protection Commission recently provided guidance on this issue, where it advised that if a householder installs a CCTV system which captures images (and sound) of people outside the perimeter of their home, that person cannot avail of the household exception and must comply with Irish data protection laws. The Irish Data Protection Commission’s guidance is available here: Domestic CCTV | 14/01/2021 | Data Protection Commission

Practically speaking, this means that homeowners cannot use their CCTV systems to record images (and sounds) of persons from outside the perimeter of their home, otherwise they run the risk of a neighbour/member of the public claiming that their personal data rights have been infringed and could risk being exposed to a data breach claim before the Irish Courts and/or the Data Protection Commission! 

Before installing your CCTV camera, you should always check to see if the CCTV camera records the perimeter of your property or if it records anything outside. For example does it record any houses in the vicinity of your property?

If you are concerned about potential data breaches that may be affecting your home or business, we at Kane Tuohy LLP, have a dedicated Data Protection department available to help you with any of your requirements.

This Article is not intended as legal advice. For specific queries, please liaise with Sarah Reynolds or Rita Higgins whose details are set out below. 

AUTHORS

Sarah Reynolds, Partner
E: sreynolds@kanetuohy.ie
M: 087 248 4334

Rita Higgins, Solicitor
E: rhiggins@kanetuohy.ie