Data Protection and Halloween: Protecting Trick-or-Treaters from Surveillance
Introduction
As Halloween approaches and children prepare to embark on their candy-filled adventures, it’s crucial to examine how data protection laws come into play when it comes to the use of surveillance technology. The rise of affordable surveillance devices, such as CCTV cameras and smart doorbells, has transformed the public realm, raising concerns about privacy and data security. In this report, we will delve into the principles underlying the lawful use of surveillance technology, explore how data protection laws apply to different scenarios, and discuss the potential implications for both individuals and organizations.
Domestic CCTV and Data Protection
Under the domestic General Data Protection Regulation (UK GDPR), surveillance activities are subject to certain rules. However, the UK GDPR does not apply to “purely personal or household activity” carried out by individuals. This means that if surveillance cameras are used solely within the boundaries of an individual’s home property, they fall outside the scope of data protection law. Therefore, once trick-or-treaters step through the garden gate, as long as the cameras are focused only on the garden path, they are essentially entering at their own risk.
The situation becomes more complex when cameras capture images outside the property boundary. In theory, householders should provide warning signs, offer copies of recordings upon request, delete footage regularly, and redirect cameras if asked, as long as the property can still be kept safe. However, the Information Commissioner’s Office (ICO) acknowledges the enforcement difficulties faced by individuals and is unlikely to intervene unless a formal complaint is made. While individuals can seek legal recourse to uphold their privacy rights, only extreme cases are likely to reach this stage.
Commercial CCTV and Data Protection
It’s important to draw a distinction between domestic and commercial use of CCTV systems. Organizations and individuals engaged in commercial activities are not exempt from data protection laws and must comply with the UK GDPR. Even what may be perceived as non-commercial uses can still fall within the scope of data protection regulations. Therefore, when trick-or-treaters venture into areas under the surveillance of commercial CCTV cameras, the controllers of the footage have legal obligations to adhere to data protection rules.
Controllers of commercial CCTV systems must design their systems with data protection principles in mind, ensure lawfulness and transparency, establish policies, and maintain comprehensive records of their actions. If there is high-risk processing involved, such as monitoring publicly accessible places on a large scale or monitoring individuals at a workplace, a data protection impact assessment must be conducted. Furthermore, CCTV system controllers are required to register with the ICO and pay an annual fee. Non-compliance can lead to stern penalties, making it essential for controllers to familiarize themselves with the legal requirements and maintain strict compliance.
Surveillance Camera Code of Practice
While the UK has a Surveillance Camera Code of Practice, it is primarily advisory for most organizations. Only relevant public authorities are legally obligated to follow it. Unfortunately, the lack of a firm design and implementation framework presents a challenge for both controllers and individuals caught on camera, as the lawfulness of specific surveillance systems may not be clearly defined. Efforts by the Biometrics and Surveillance Camera Commissioner to provide guidance have been limited in their impact. This situation leaves both controllers and those surveilled in the dark, with limited recourse to ascertain and enforce their rights.
Smart Doorbells and Data Protection
In the era of the Internet of Things (IoT), smart doorbells have become increasingly popular, recording the activities that occur outside property boundaries. Similar to CCTV systems, smart doorbells come under the purview of data protection law once they capture footage outside an individual’s property. However, enforcing the right to prevent the recording of one’s activities while on a public street can be challenging in practice, even if it is theoretically allowed.
It is important to note that these regulations usually apply to fixed camera systems. Drones, dashcams, and mobile phones used in a private capacity, rather than for business purposes, are generally exempt from data protection regulation. Therefore, individuals answering the door may want to consider who else may have access to the smart doorbell footage. Recent incidents, such as the fine imposed on Amazon by the US Federal Trade Commission for unauthorized access to doorbell camera footage, highlight the need for caution and awareness of data security. Individuals should carefully consider where their data is stored and how they would respond to requests for access to footage, both from those recorded and from the authorities.
The Future of Surveillance Technology and Data Protection
Looking ahead, the future of surveillance technology raises additional concerns. When combined with biometric recognition and classification systems, these technologies have the potential to erode privacy rights further. However, regulations governing biometric technologies are still playing catch-up, making it challenging to predict their impact. The ICO has recently undergone consultations on new biometrics guidance, recognizing the swift development of facial recognition, gait analysis, and other advanced techniques. It is conceivable that privacy-conscious individuals may only feel safe venturing out in the dark, masked, and with a distinct gait, not just during Halloween but on a regular basis.
Conclusion
As trick-or-treaters traverse the streets this Halloween, the application of data protection laws to surveillance technology warrants our attention. While domestic users of CCTV systems benefit from exemptions under the UK GDPR, controllers of commercial systems must navigate a range of data protection responsibilities. The lack of a comprehensive framework and cumbersome enforcement mechanisms impose challenges on both controllers and individuals caught on camera. The proliferation of smart doorbells and the potential integration of biometric technology further complicate matters. It is vital for individuals and organizations to educate themselves on their rights and obligations under data protection laws to ensure the delicate balance between privacy and security is maintained.
<< photo by Florian Olivo >>
The image is for illustrative purposes only and does not depict the actual situation.