Tag Archives: CCTV

Domestic CCTV and Data Protection

There was a time where CCTV systems were of a very poor quality and were rather expensive and were therefore limited to commercial premises. However it is now possible to get reasonably good quality CCTV cameras for less than £20 and as such there has been a steady rise in the number of homeowners installing CCTV cameras to help with home security.

Article 2 of the General Data Protection Regulation (GDPR) sets out the Regulation’s material scope; it includes a carve-out for processing of personal data “by a natural person in the course of a purely personal or household activity.” This replicates the language of the Directive which the GDPR replaces and which was reflected in section 36 of the Data Protection Act 1998 (the “domestic purposes” exemption).

On the face of it a home operated CCTV system seems to fall squarely within the scope of the carve-out for personal and household activities in Article 2 of the GDPR; however, the case law which interpreted the old Directive adds some complexity to matters. The placing of a home CCTV system is of particular importance; in particular, what is caught by the camera. If the camera is placed incorrectly then it can result in individuals falling outside of the carve-out in Article 2 of the GDPR and becoming a controller; with all of the liability and responsibility that this entails.

Domestic CCTV can be particularly useful in situations where there are neighbour disputes or where there is allegations of harassment; however, equally these are situations where a particular risk in terms of data protection law enters into the equation.

The issue of the use of domestic CCTV is something that I am increasingly being asked to advise on by clients; both the owners of the CCTV system and their neighbours. Invariably, there are issues that require to be resolved about the use of the domestic CCTV systems in these circumstances.

The matter has never been tested under the GDPR; however, given that the relevant provisions are substantially the same it seems likely that the cases decided under the older Directive and the now repealed Data Protection Act 1998 remain of relevance and will very likely be followed by the courts. Care should therefore be taken when installing domestic CCTV systems to ensure that you can continue to rely upon the domestic purposes exemption and not accidentally incur liability to third parties. People are becoming increasingly more privacy aware and concerned and as such it is becoming more important for domestic CCTV users to become aware of the limits of the domestic purposes exemption and how to avoid incurring liability under data protection laws.

Alistair Sloan

If you require advice and assistance in respect of the use of CCTV by individuals or business; or any other data protection or privacy law concern; then you can contact our team on 0141 229 0880 or by E-mail to info@inksters.com. You can also follow our dedicated information law twitter account for news and updates on a range of information law matters.

Compensation in Data Protection law

Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress.  The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.

The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82.  The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated.  Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”

A Data Subject is not limited to claiming compensation from the controller.  The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test.  No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.”  The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.

The terms of Article 82(3) create joint and several liability for controllers and processors.  In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them).  Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”

Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.

The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered.  Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions.  There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high.  For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7.  That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.

The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union.  Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.

In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998).  In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court.  However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.

Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.

Alistair Sloan

If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.