Last week a Scottish court issued a judgment in a case where damages were sought for breaches of the Data Protection Act 1998 (DPA) in relation to domestic CCTV and surveillance equipment. Whilst, as a sheriff court decision, the court’s judgment is not binding on other courts, the case does consider a number of interesting issues.
Woolley & Woolley v Akbar or Akram (Woolley) centred on two neighbours who each owned properties in a semi-detached house in Edinburgh, one above the other.
After their relationship broke down in 2013, both neighbours installed surveillance equipment.
Unlike the pursuers, whose CCTV equipment covered only their own property, the defender’s surveillance equipment had been positioned it to cover the pursuer’s garden and entrance to their property.
The defender also installed audio recording boxes which were able to pick up conversations in the pursuers’ garden and (it was feared) inside the pursuers’ property itself.
The justification given by the defender was that the equipment was installed to capture any altercations between the parties.
After three (unsuccessful) attempts by the pursuers to limit the extent of the defender’s surveillance and to obtain copies of the personal information processed by the defender, the matter, along with other disputes, came before the courts.
The Sheriff held that the defender had been a data controller for the purposes of the DPA since installation of the equipment in 2013, despite only registering as such in 2015.
In terms of the duty owed to data subjects (including the pursuers), the Sheriff held that the defender had committed multiple breaches of the DPA, which can be broadly summarised as follows:
- the processing was not fair or lawful (a breach of the first data protection principle);
- the surveillance was ‘extravagant, highly intrusive and not limited in any way’ and no adequate justification had been given (a breach of the third data protection principle); and
- the data collected was kept for longer than was necessary (a breach of the fifth data protection principle).
The pursuers were awarded approximately £17,000 in compensation.
The domestic purposes exemption
The case is the latest to consider the application of the EU data protection laws to the activities of private individuals and the exemption in relation to processing for purely personal or household activity (the “domestic purposes exemption”).
In 2014, the European Court of Justice (ECJ) gave a significant ruling in the Reynes case, which confirmed that an individual would not be able to rely on the domestic purposes exemption where the surveillance also monitors a ‘public space’. This applies regardless of the party’s intentions, and prompted the Information Commissioner’s Office (ICO) to update its code of practice for surveillance.
Whilst surveillance that also monitors a public space does not fall within the domestic purposes exemption, the ECJ noted that this did not automatically mean such processing would be a breach of data protection law, if it could be justified.
Interestingly there was no reference in Wooley to the ECJ’s ruling in Rynes, but it does highlight the risks of individuals using surveillance equipment for personal reasons. It also provides some guidance on the meaning of a ‘public space’, which in this case was interpreted to mean any space that is beyond the boundary of an individual’s own private property.
Depending on the nature of activities, many householders using CCTV may be unaware that they qualify as data controllers and fall within the scope of the DPA.
Approach to compensation
Prior to Vidal-Hall v Google Inc. (Vidal-Hall), it was understood that there was a requirement under the DPA for individuals claiming compensation to show pecuniary loss. A claim could not be awarded on the basis of distress alone. However, Vidal-Hall ruled that this approach was incompatible with the EU Directive 95/46/EC (the Directive which the DPA implements into UK law).
In the absence of clear financial loss, quantification of damages for distress can be difficult, and is a developing area.
In Wooley, the pursuers claimed (and were awarded) damages calculated on the basis of £10 per person per day that the defender operated the CCTV system in breach of the DPA. The judgment does not provide more detail on the basis of this model and it was acknowledged that no authority exists for compensation in such circumstances. Indeed, there are indications (a reference to the calculation being a “moderate” basis of claim) that the court may have been minded to award higher damages if they had been sought.
In this case, it appears that the defender did not make any real attempt to justify its actions under the DPA and the ICO’s code of practice for surveillance cameras. In the absence of such representations and such extensive use of surveillance, it was difficult for the court to reach any different conclusion in relation to the alleged breaches of the DPA. For that reason, the court’s specific findings on the breaches of the first, third and fifth data protection principles may be of limited relevance.
However, the case does provide a helpful reminder of the issues to be borne in mind when using surveillance equipment (whether domestic or otherwise) and the importance of ensuring that the use of surveillance equipment is justified and proportionate and complies with the ICO’s guidance.
The court’s approach to quantifying damages for distress is also notable, adopting a per day approach to calculating a monetary amount. It will be interesting to see if this approach is adopted in future cases as the Vidal Hall principle develops.
You can read a longer version of this blog post on the Society for Computers and the Law’s website.
On February 9, 2017