Ring doorbells, domestic CCTV and GDPR | Feature

Last October, the Daily Mail reported that a female doctor’s neighbor could take home more than £100,000 after a judge ruled her Ring smart doorbell cameras violated her privacy, in a landmark legal battle that could pave the way for thousands of women. Lawsuits over the use of the Amazon-owned device. The story was published after an Oxford District Court judge ruled that John Woodard’s use of his Ring cameras amounted to harassment, inconvenience, and a breach of data protection laws. “Yesterday’s ruling is believed to be a first in the UK and could set a precedent for more than 100,000 Ring Doorbell owners nationwide,” the Daily Mail said in its “legal analysis”.

Before Ring doorbell owners rush to disassemble their devices, let’s pause and reflect on this story. It wasn’t about one person using the camera to watch their house or protect their motorcycle. The defendant set up a network of cameras around his property that could be used to watch the coming and going of his neighbor. A careful reading of the ruling leads to the conclusion that the lawsuit brought by the plaintiff, Dr. Mary Fairhurst, was really about the use of local cameras in such a way as to make the neighbor feel harassed and sad. She was primarily seeking relief under the Protection from Harassment Act 1997 and the Civil Injury of Nuisance Act.

Let’s examine the privacy angle. The UK’s General Data Protection Regulation (GDPR) regulates the processing of personal data, including by public CCTV cameras. It can also apply, in some cases, to CCTV systems and domestic door cameras. After all, the owners of such systems process personal data (photos and even audio recordings) about visitors to their property, as well as passers-by and others who have fallen into the peripheral vision of the systems. On the face of it, however, the domestic system should be covered by Section 2(2)(a) of the UK GDPR, which states that the law does not apply to “processing of personal data by an individual in the context of purely personal matters or Domestic activity.” Recital 18 further clarifies: “This regulation does not apply to the processing of personal data by a natural person in the context of a purely personal or domestic activity, and therefore unrelated to a professional or commercial activity. Personal or domestic activities may include correspondence and the retention of addresses or social networks and online activity undertaken in the course of such activities.

Data collected

The judge in that case concluded that the defendant’s camera system had collected data outside the bounds of his property and that a particular camera “had an extremely wide field of view and captured the plaintiff’s personal data as it drove in and out of the parking lot.” This will take the system out of the personal and home exemption mentioned above, as confirmed by the Information Commissioner’s CCTV guidelines: “If you set up your system to only take photos within the confines of your local property (including your garden), the data protection laws will not apply to you.”

“But what if your system captures images of people outside the confines of your private household property — for example, in neighbors’ homes, gardens, common spaces, a public footpath, or a street? Then [GDPR] The Data Protection Act 2018 (DPA18) will apply to you, and you will need to ensure that your use of CCTV complies with these laws.

Once a residential camera system is subject to the provisions of the UK’s General Data Protection Regulation, the owner must of course comply with all data protection principles, including a commitment to transparency (through privacy notices) and ensuring that data processing is adequate, relevant and not excessive. Data subjects also have rights with respect to their data including seeing a copy of it and requesting its deletion (subject to some exceptions).

In the current case, the judge said the defendant “actively sought to mislead the plaintiff about how the cameras worked, whether they worked, and what was captured.” This indicates a breach of the first principle (legitimacy and transparency). There have also been concerns about the amount of data captured by some cameras (the fourth principle).

Let us now turn to the level of compensation that can be awarded to the plaintiff. Section 82 of the UK GDPR contains a self-contained right for litigated data to seek compensation in the event that they suffer material or immaterial harm, including distress, as a result of a breach of the legislation. However, the Daily Mail’s £100,000 headline figure seems exaggerated even for a breach of harassment and nuisance claims, let alone the UK’s GDPR on its own. The court will have to consider evidence regarding the duration of the violation and the level of harm and suffering incurred by the plaintiff.

This ruling does not mean that owners of Ring door cameras must remove them before they pass a dog walker to file compensation claims. But it requires owners to think carefully about the location of the cameras, the adequacy of notifications and the impact of the system on the privacy of their neighbors.

Ibrahim Hassan Lawyer and Director Act Now Training

Leave a Comment