Street surveillance systems: trick or treat?
by Shoosmiths LLP
At Halloween, we look at whether data protection laws protect doorstep trick-or-treaters and how technologies such as CCTV and smart doorbells can be used lawfully under data protection law.
Along with the ghosts and goblins, bands of happy revellers may be preparing to roam the streets this Halloween to get their seasonal sweet fix armed with nothing more than a pumpkin lantern and hopeful smile. The public realm has been transformed in recent years by surveillance technology, which is now spookily affordable. So even if there are no restless spirits, what threats to data privacy may be lurking in the shadows?
As they journey along the streets with trick-or-treat bags in hand, who is watching our group of Halloween visitors, and what data protection principles underlie lawful use of the new spy (or should we say spy-der) ware?
Domestic CCTV
In the UK, the domestic General Data Protection Regulation (UK GDPR) casts a long shadow over surveillance activities. But this regulation does not apply to a “purely personal or household activity” carried out by an individual (Art. 2(2)(a)), and it’s this rule which means that surveillance systems which process images entirely within an individual’s home property boundary will be outside data protection law. That means once they are through the garden gate, provided that the cameras are trained just on the garden path, it’s Enter At Your Own Risk for our Halloween trick-or-treaters.
Things get more complex if the cameras are capturing images outside the property boundary. In theory householders should have warning signs, provide copies of recordings of people if they request, delete footage regularly, and if asked, point cameras elsewhere as long as the property can still be kept safe.
But provided it’s still for a domestic purpose, the Information Commissioner’s Office (ICO) guidance takes a typically pragmatic view. While it says that individuals should where possible “point their CCTV cameras away from their neighbours’ homes and gardens, shared spaces or public streets” it accepts that enforcement is difficult by individuals and the ICO is unlikely to intervene itself other than writing to the offending household. It reminds us that individuals can uphold their privacy rights by going to court: though in reality only the most frightening cases would go this far.
Commercial CCTV
We are talking of course about domestic use; organisations or individuals making commercial uses will not benefit from the household and personal exemption and must comply with UK GDPR. When we talk about “commercial use” it’s important to be aware that household and personal use is defined narrowly and won’t exclude quite a few of what we might think of as non-commercial uses. So, when our band of intrepid trick-or-treaters cuts across the industrial estate, the controller of the CCTV camera footage will have obligations to comply with the full suite of data protection rules. This includes designing the system with data protection principles in mind, assessing lawfulness and transparency requirements, establishing appropriate policies and keeping a full record of what is being done and why. Controllers must also carry out a data protection impact assessment if there is high risk processing such as monitoring publicly accessible places on a large scale or monitoring individuals at a workplace. It’s important to remember that controllers of CCTV systems must pay an annual fee and register with the ICO, who may ask for compliance documentation and evidence that rules are being followed at any time. It could give a controller quite a scare.
The ICO has stern words for over-excited investors in surveillance gizmos. It says “you should make decisions based on ability to provide a data protection compliant solution to a problem. You should not purchase a system because it is new, available, affordable or in the belief that it will gain public approval.”
All very well, but is there any more prescriptive advice for system operators? In the UK we have a Surveillance Camera Code of Practice but for most organisations this is advisory only. Relevant public authorities have obligations to follow it, under s. 29 of the Protection of Freedoms Act 2012. But the lack of a firm design and implementation framework, despite the best efforts of the Biometrics and Surveillance Camera Commissioner, means that both controllers and those caught on camera may be left somewhat in the dark about the lawfulness of particular systems.
Smart Doorbells
Our Halloween crew has dodged the fixed cameras through the car park and made it to the next front door. Like so many built to take advantage of the Internet of Things (IoT) this house has a smart doorbell which records their every move. As with CCTV, this type of fixed camera system falls within the scope of data protection law once it records footage outside a property boundary. Once again, our trick-or-treaters will have the theoretical right to stop the householder from recording them as they stand on the street but may well struggle to stop it happening in practice.
These rules will only be applied to fixed camera systems. Drones, dashcams and the trusty mobile phone when used in a private capacity rather than for business use will also usually be outside data protection law. So there’s nothing to stop the householder from taking a seasonal pic of the fabulous costumes on display.
That said, the person answering the door may also want to consider who else may be watching that smart doorbell footage. In May 2023 the US Federal Trade Commission fined Amazon $5.8m following allegations of unauthorised access to remote camera footage from doorbell-type systems. Ring is now under orders to stop this usage, and its European terms and conditions assure us that none of this is permitted under the watchful eye of the GDPR. But for some potential users these concerns may have broken the spell.
It’s an important reminder for anyone establishing a surveillance system: images are generally processed remotely on third party platforms – and the footage is only as secure as those platforms are. It’s worth thinking carefully about where that data is going and how you will respond to requests for access to footage from those caught on camera (and from the authorities trying to catch them).
And the future?
Another scary prospect for our sugar-fiends is the combination of this type of technology with biometric recognition and classification systems. For the moment the regulation of biometric technologies around the world is racing to catch up with potential uses, and possible outcomes are hard to predict. The ICO has just finished consulting on Phase 1 of its new biometrics guidance.
The rapid development of advanced facial recognition techniques, plus gait and other movement analysis, means that perhaps privacy wizards may before long only agree to venture out after dark, with gloves, a mask and a theatrical walk – and not just at Halloween.