Law and Rights
Professor Lorna Woods, co-author Steiner and Woods EU Law
Introduction
Facts
Question Referred
Opinion of the Advocate General
Comment
- Data Protection: The Cjeu Clarifies The Applicable Law And Jurisdiction
Lorna Woods, Professor of Internet Law, University of Essex*The CJEU recently gave judgment in the Weltimmo case, concerning the reach of data protection supervisors, ruling that one Member State?s supervisor can have jurisdiction on organisations mainly...
- ?the Right To Be Forgotten?: The Future Eu Legislation Takes Shape
Steve Peers The furore over the ?right to be forgotten? in EU data protection law focusses, obviously enough, on the CJEU?s judgment in Google Spain, which obliquely referred to such a right, by means of interpreting the EU?s existing data protection...
- Towards A Web 3.0? The Impact Of The Google Spain Judgment On Social Networks And Wikipedia
Steve Peers If its age could be measured in ?Internet years?, the EU?s data protection Directive would be prehistoric. This can easily be demonstrated by comparison with the age of Facebook. The Directive was adopted seven years before the virtual panty...
- The Cjeu's Google Spain Judgment: Failing To Balance Privacy And Freedom Of Expression
By Steve Peers The EU?s data protection Directive was adopted in 1995, when the Internet was in its infancy, and most or all Internet household names did not exist. In particular, the first version of the code for Google search engines was first written...
- Are National Data Retention Laws Within The Scope Of The Charter?
By Steve Peers Following the annulment of the EU?s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons...
Law and Rights
Big Brother?s Little Brother? The scope of the ?household exception? to EU data protection law
Professor Lorna Woods, co-author Steiner and Woods EU Law
Introduction
In the case of Ryne?, the Czech Supreme Administrative Court, Nejvy??í správní soud, referred a question on the meaning of the ?household activity? exception under the EU Data Protection Directive to the Court of Justice. Central to the question was the fact that the processing was by a CCTV camera which was not restricted to the CCTV operator?s own house but covered also the public footpath outside it and the house opposite, when the ?household exception? refers to data processed ?exclusively? for personal and household purposes. This is an area in which member States? practices diverge. With the exception of Lindqvist, the Court has not dealt with the conditions of applicability for the household exception. Since then, the EU Charter of Fundamental Rights ? which recognises not only the right to private life but also the right to data protection ? has acquired legal force by virtue of the Treaty of Lisbon. The Opinion of the Advocate General was handed down today, later than originally scheduled.
Facts
The case arose from the fact that Mr Ryne? installed a CCTV camera on the corner of his house which overlooked not only his front door, but also the public footpath and the opposite house. His aim was to protect his family and his property, as there had been some previous vandalism to his property. Shortly after the installation of the CCTV system, the windows of the house were broken once again. The CCTV footage was used to identify two individuals, one of whom questioned whether the use of the CCTV system was permissible under the Czech data protection law (implementing the directive).
Question Referred
Mr Ryne? argued that the so-called ?household exception? in Article 3(2) of the Data Protection Directive applied. It states:
2. This Directive shall not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
- by a natural person in the course of a purely personal or household activity.
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
- by a natural person in the course of a purely personal or household activity.
The Court referred the following question:-
Can the operation of a camera system installed on a family home for the purposes of the protection of the property, health and life of the owners of the home be classified as the processing of personal data ?by a natural person in the course of a purely personal or household activity? within the meaning of Article 3(2) of Directive 95/46/EC, even though such a system monitors also a public space?
Opinion of the Advocate General
The Advocate-General made a number of preliminary points, notably that the answer to the question did not depend on whether the data was stored or erased, or whether the data was used or not used. What seemed central was the existence of surveillance via the CCTV system. The Advocate General noted this case concerned a fixed CCTV system, where the surveillance was constant. The Advocate General commented that he did not intend to go into the area of devices of a different character, such as mobile phones (AG[30]).
The Advocate-General also emphasised that the Charter applied and that the scope of the directive itself ? or limitations on its field of application - should be determined in the light of the right to private life and in this the Advocate-General referred back to principles highlighted in Google Spain; specifically the need to ensure the effectiveness of the directive, stating that the approach in Google Spain (para 69) did not just apply in regards to public authorities but in the context of horizontal relations also (AG [28]), subsequently returning to the need to provide a high level of protection a little later in the opinion (AG [39],citing Digital Rights Ireland, the judgment on the invalidity of the data retention Directive).
The Advocate-General distinguished between the activities of the police (which fall under the first indent in Article 3(2)) and those of Mr Ryne?. He was not acting as a member of the police force but as a victim even though he did give the images to the police; the exception for policing therefore did not apply to him. The Advocate-General argued that the scope of the directive should not be determined by the subjective views of interested parties but by objective factors and, as with all exceptions and limitations, should be interpreted narrowly - as illustrated by cases such as Satamediaand Lindqvist.
Returning to Lindqvist, in which AG Tizzano had given the example of correspondence and address book of personal activity, the Advocate General here suggested that the exception should be limited to those activities which are manifestly private and confidential. In the view of AG Jääskinen, this means activities which are closely and objectively connected to an individual?s private life and do not significantly touch on the private life of others. Family life has a distinct link with the domestic environment, though is not limited to the family home but could include a hotel room or a family car (AG [51]). This is more or less the same ground as protected by Art. 7 of the EUCFR. For the household exception to apply, whether in respect of private life or family life, there is the additional condition of exclusivity. The Advocate General concluded that the video surveillance of others could not be considered exclusively ?personal?, though it could in principle fall within the scope of domestic activity. Crucially, however, the extension of the surveillance to public space cannot be considered exclusively domestic because of the impact on others, who may wish to preserve their anonymity. The underlying concern is the impact of living one?s life under a constant state of surveillance, as noted in Digital Rights Ireland (AG [56]).
The Advocate General concluded that the household exception could not be relied on.
Comment
This seems to be another in the recent trend of cases where the Court ? or its Advocates General ? has interpreted the Data Protection Directive so as to extend or support protection for the data subject. This can be seen by the attention paid to the recent cases of Google Spain and the repeated references to Digital Rights Ireland. While there was some reference to Lindqvist when determining the detail of Article 3(2), it played little role in informing the general direction of approach. While Satamedia allowed a broad approach to the ?journalistic exception? in Article 9 of the Directive, which can be contrasted with the narrow approach here, the exception was of a different type ? here the effect of Article 3(2) is to take the data outside the field of the directive altogether. Further, Article 9 brings into play the countervailing interest in freedom of expression. No such interest comes into play to extend private life, or to equate vigilantism with police forces (see also Lindqvist on this).
A particular theme is that of the impact of constant surveillance on individuals and on society, again following on from recent cases. In this the EU judiciary seems in line with ECHR case law. Though the Advocate-General discounted Peck (which concerned re-use of security footage from a local council), there is an existing line of law on state surveillance: for example Liberty v. UK and the pending case of Big Brother Watch v. UK(though admittedly there have been critics about the level of consistency of protection ? see e.g. Uzun v. Germany concerning GPS tracking). The Advocate-General specifically excluded the possibility of discussing other surveillance devices such as mobile phones on the basis that they have different characteristics. This seems like an attempt to sidestep controversy as, from the reasoning, the same issues about surveillance and the impact on individuals could arise. Admittedly, mobile phones tend towards individual instances of use, which may be more likely to fall within one limb or other of the household exception.
There are new devices, such as Google Glass, which allow for continuous monitoring (until the battery needs recharging at approx. 45 minutes according to Google), without it being clear whether or not such monitoring is taking place. This is a significant difference from use of a mobile phone for filming, despite Google?s suggestions that Google Glass is no different from a mobile phone (which could in any event fall outside the household exception itself). If the Court follows the Advocate General, this adds a gloss to the advice given by the UK Information Commissioner (ICO) after Google glass went on sale here. The ICO blog contains the following statement:
If you are using a wearable technology for your own use then you are unlikely to be breaching the Act. This is because the Act includes an exemption for the collection of personal information for domestic purposes. But if you were to one day decide that you?d like to start using this information for other purposes outside of your personal use, for example to support a local campaign or to start a business, then this exemption would no longer apply.
This is not the case for organisations, whose use of wearable technology to process personal information will almost always be covered the Act?.
The way this advice is phrased, it is capable of being read as suggesting that ?personal use? is non-business use, whereas on the view of the Advocate-General it seems likely to be narrower than that and therefore could trigger data protection procedures. Data Protection Commissioners have raised concerns about Google Glass and compliance with local laws. Perhaps the ECJ will have more luck in attracting Google?s attention ? though the real burden and risk of penalties would seem to fall on users.
Barnard & Peers: chapter 9
- Data Protection: The Cjeu Clarifies The Applicable Law And Jurisdiction
Lorna Woods, Professor of Internet Law, University of Essex*The CJEU recently gave judgment in the Weltimmo case, concerning the reach of data protection supervisors, ruling that one Member State?s supervisor can have jurisdiction on organisations mainly...
- ?the Right To Be Forgotten?: The Future Eu Legislation Takes Shape
Steve Peers The furore over the ?right to be forgotten? in EU data protection law focusses, obviously enough, on the CJEU?s judgment in Google Spain, which obliquely referred to such a right, by means of interpreting the EU?s existing data protection...
- Towards A Web 3.0? The Impact Of The Google Spain Judgment On Social Networks And Wikipedia
Steve Peers If its age could be measured in ?Internet years?, the EU?s data protection Directive would be prehistoric. This can easily be demonstrated by comparison with the age of Facebook. The Directive was adopted seven years before the virtual panty...
- The Cjeu's Google Spain Judgment: Failing To Balance Privacy And Freedom Of Expression
By Steve Peers The EU?s data protection Directive was adopted in 1995, when the Internet was in its infancy, and most or all Internet household names did not exist. In particular, the first version of the code for Google search engines was first written...
- Are National Data Retention Laws Within The Scope Of The Charter?
By Steve Peers Following the annulment of the EU?s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons...