I always feel like, somebody’s watching me…
You may have seen news of Jon Woodard, who lost a court case in October after installing a Ring camera doorbell and three security cameras on his house in Oxfordshire. His neighbour, Dr Fairhurst, complained that the camera captured images and sound recordings from her property next door without asking her, and that this amounted to harassment, nuisance and a breach of her privacy.
The court agreed, ruling in a 49-page judgment that Mr Woodard’s use of the doorbell and cameras breached both the UK GDPR and the Data Protection Act 2018 and amounted to harassment (although the claim for nuisance was dismissed).
The court held that Mr Woodard was a data controller and that the images and audio files recorded of Dr Fairhurst did amount to personal data. It also decided that Mr Woodard did not have a “legitimate interest” in processing that personal data, and therefore was not acting lawfully. The court also held that Mr Woodard was processing personal data beyond that which was “relevant and limited to what is necessary”.
But the point I want to examine arises from an interesting statement in paragraph 32 of the court’s judgment, which says:
“[Mr Woodard’s] evidence that he asked the [Information Commissioner’s Office] if he could register to be a data controller but was told that he could not, as [his house] was a domestic dwelling, is extremely surprising advice for the ICO to give, as it is patently wrong and is as wrong under the DPA 2018 as it was under its predecessor legislation, the Data Protection Act 1998. I do not believe, on the balance of probabilities, that he was told this at all.”
Some might wonder whether the judge, HHJ Clarke, got this wrong, and whether the ICO (the regulator for data protection and privacy issues in the UK) was correct, based on the following extract from the UK GDPR (article 2(2(c)):
“This Regulation [ie. the UK GDPR] does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.”
On the basis of the above, Mr Woodard is, obviously, a ‘natural person’, and recording images and sound on a doorbell is a household activity. Or alternatively, the argument that he was undertaking a commercial or business activity is very weak indeed. And therefore, it would be reasonable to conclude that the UK GDPR would not apply to the images and sound recordings at all where these are purely household activity. This would not affect the decision insofar as it related to harassment, so he would still be liable to pay compensation to Dr Fairhurst, but I’m not sure he should have been found guilty of breaching the UK GDPR and the Data Protection Act 2018.
This article of the UK GDPR was not referred to in the court’s decision, and unfortunately the judgment does not record whether Mr Woodard’s legal advisers raised it as an argument in his defence. But if one’s own doorbell does not count as “personal or household activity”, then what does?
Guidance on the processing of data in the course of a personal activity or household activity on the ICO’s website says:
“Personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family, or taking pictures for your own enjoyment, you are not subject to the UK GDPR.”
“You will not need to comply [with UK GDPR] if you only use the information for your own personal, family or household purposes, eg personal social media activity, private letters and emails, or use of your own household gadgets.”
Some might argue then, that this is what Mr Woodard was doing – recording images and sound for his own personal use. The regulator’s guidance explicitly lists ‘household gadgets’, which surely would include a Ring doorbell. So, why did the court ignore article 2(2)(c) and the ICO’s guidance above? Why did the court choose instead to criticise the advice that Mr Woodard claims to have received from the ICO which, on reflection, could well have been absolutely correct.
It transpires that what the particular ICO guidance detailed above does not go on to do, is flag (at that particular spot on its website), the existence of further, more detailed, guidance on its website around the use of CCTV devices. This further guidance provides:
“If you set up your system so it captures only images within the boundary of your private domestic property (including your garden), then the data protection laws will not apply to you.”
OK, so far so good. That said, it’s not such an easy task, to set up a system so it is limited to your own property boundary. The devil as always is in the detail. The ICO CCTV guidance continues:
“But what if your system captures images of people outside the boundary of your private domestic property – for example, in neighbours’ homes or gardens, shared spaces, or on a public footpath or a street? Then the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) will apply to you, and you will need to ensure your use of CCTV complies with these laws.”
For any lay person navigating their way around the legislation, it’s not exactly straightforward but it is most likely the theory behind the above statement that gave rise to the costly decision in favour of Mr Woodard’s neighbour. Notably, in an effort to allay Ring users’ concerns, the company has changed its software to allow the devices to be customised, thus blocking the camera from recording images outside of the users’ properties. Changes have also been made to the sound recording functions to make them less sensitive.
But ultimately, the advice is to be transparent, open and honest with any neighbour whose movement or speech is likely to be captured.
We will have to wait to see the amount of compensation that Mr Woodard will be ordered to pay to Dr Fairhurst. And if media reports as to Mr Woodard’s financial position are correct, he’s unlikely to have the resources to appeal the decision to a higher court, so we may not get an answer to my question in the immediate future.
With the upcoming Black Friday deals, users looking to bag a Ring doorbell will need to be clear on how the law applies to them when they manage their settings.
For further information or advice, contact BPE’s Commercial team (Iain Garfield) for matters of UK data protection law .
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.