Every aspect of our daily lives is or will become connected through some form of device, gadget or gimmick that helps trace our surroundings for our own comfort. Actually, comfort may come at a price, as the European Court of Justice - ECJ (again) stated this on 11 December, when it published its decision in the Rynes case, giving way to another limitation to the rights under the Data Protection Directive (DPD).
The facts? Mr Rynes, a Czech national, used a surveillance camera to protect his home, visually (but not audio) recording its surroundings. The data was stored only until full recording capacity was reached, and then newer data was overwritten. Luckily, when his house was broken into, Mr Rynes was able to identify the suspects using the surveillance footage.
Following a complaint by one of the suspects, the Czech data protection authority found that Mr Rynes (a) collected personal data of the persons on the street without prior consent; (b) those people were not informed of the purpose of such processing; and (c) personal data processing was not reported to the data protection authority. The national court asked the ECJ whether the above were required in case of domestic surveillance, and if this does not fall under the household exception in the DPD (i.e. processing of personal data done by an individual in the course of a purely personal or household activity is exempt from DPD application).
The ECJ made reference to the Charter of Fundamental Rights of the EU (Charter), and particularly to the right to private life, which may be limited only in particular situations and to a limited extent. The application of the DPD makes it possible to construe legitimate interests which may permit personal data processing without the DPD limitations and required consent. However, if a personal surveillance camera records activity outside of private property, it cannot be considered to fall under the household exemption.
The decision is of major importance especially with the rise of the Internet of Things, the smart-watch industry and other devices that intrinsically have the capacity to record activity and the surroundings, even while rolling in the background. The decision may be seen as outrageous for firm believers in the principle of proactive self-defense, but it is not the first decision of such a kind on the continent - earlier this year, an Irish individual was asked to take down a website showing images of burglars creeping in his house, or risk a EUR 100,000 fine.
The larger issue here is the lack of control over what an individual actually ends up doing with footage recorded initially for personal security purposes. But it's also something that naturally could not be regulated without in itself constituting a breach in private life. Balance - a word very often used when it comes to personal data protection, especially since"the right to be forgotten" landmark decision was issued - must be struck between ways to limit the rights of individuals over household recordings and an absolute interdiction to process data even when personal safety justifies it.
As is the case with "the right to be forgotten", there is a strong need to have independent bodies decide over criteria to be met for the above to actually be applicable - otherwise, it only gives way to abuse, and personal safety becomes yet another barrier torn down by burglars in their quest for our riches. Equally, since house surveillance cameras - actual or masked in other devices - are very much present in residential areas, national data protection authorities should be prepared in tackle this issue, since thieves of all kinds are always one step ahead of the law.
Finally, let's not forget about drones, which even in cases of commercial use (as Amazon has been doing recently via Prime Air, delivering products to customers) can even accidentally record activity in order to be able to locate the exact delivery point; if Amazon will ever want to implement the system in Europe, it will have to take into the account the above as well.