Home Security Devices and Privacy: a 21st century problem

  • Posted

Longmores recently acted for the successful claimant in the ‘Ring Doorbell’ court case, obtaining injunctions and damages against her neighbour.  Actually, the most important part of the case was not the Ring Video Doorbell, or the three other cameras involved. The surveillance capabilities of Ring devices are extensive, but the manufacturer make it clear that users are responsible for using their devices within the law. In this case, the defendant did not.  This was a case where the judge found the defendant had harassed the claimant, attempted to intimidate her, and had misled both her and the court about the extent of the surveillance he was carrying out. It was primarily about this defendant, which some articles have failed to recognise.  However, it did also deal with a genuinely new legal issue. Courts have not previously ruled on the use of popular home security devices in the hands of private individuals. This article explores that issue further.

What Legal Issues arise from CCTV and Home Security Systems?

Any CCTV or security camera system is capable of capturing information about people. This leads to concerns over how to protect personal privacy.

When it comes to the use of surveillance by government and law enforcement agencies, this naturally leads to a debate about the power of the state, and its impact on individual rights.

For private organisations or individuals, the issue is slightly different. On one hand they do not have the same powers as the state; on the other they are not carrying out the same public function. The issue is balancing the rights of different parties.

In English law, this balancing act is primarily governed by data protection legislation; the Data Protection Act and GDPR.  Images of people captured by CCTV and entries about people in a database are treated in a similar way – they are both forms of personal data. Personal data has to be processed fairly, and individuals have various rights in relation to their personal data.

At this point, there is a key difference between organisations and individuals. Nowadays, personal data is essential to the operation of most businesses. Most businesses therefore need to register with the ICO as data controllers, regardless of whether they have security cameras. If an individual has an issue with a business’s use of personal data in any form, they can pursue a complaint to the Information Commissioner’s Office (ICO).

Private individuals do not have the same obligations. Traditionally, they have not handled much personal data of any sort. There is a specific exception in data protection legislation for purely personal and household activities, which applies to security cameras that record within your own property.

CCTV systems used to be expensive and complicated, so were rarely used in domestic properties. Now, the cost of home security devices has reduced and devices from Ring and Nest are simple and cheap enough to be treated as normal consumer items. As a result, they have been fitted in more and more private homes.

At the same time, their capabilities have increased. High-definition video and audio capabilities mean that they can capture data from a wider area. If that extends beyond the property on which they are mounted, they have turned their owner into a data controller.

What is the Issue with Home Security Devices and Privacy?

Most people do not realise that using home security devices that work in areas outside their property makes them data controllers. However, it would be a mistake to see this as a reverse legal loophole, that mires unsuspecting people in pointless red tape. The obligations imposed on data controllers are there because they have so much power. With this power comes responsibility. Some form of control over private surveillance is needed more than ever.

Of course, home security devices can have a positive side, that manufacturers and the police often highlight. The police often appeal for private video footage after a crime, and the wider the area of the surveillance, the more useful that footage will be. Like public surveillance by the state, these devices can help catch or deter criminals.

However, that is where the similarity ends. Without legal restrictions, the person capturing the data is answerable to no one. There is no one who can check how the data that is captured is used. There is no one to complain to or vote out of office.

You do not need to be a privacy campaigner to appreciate the difficulties that this causes. Modern home security devices can operate 24/7, every day of the year, storing video and audio data for weeks at a time. They can activate based on movement in specified zones, often extending far beyond the device. They can capture audio of normal conversations, even ones that occur far away from the device. They come with lights and night vision, to capture movement after dark. They send out alerts when activity occurs, allowing the owner to check on what is going on. Over time, more functionality is often added by firmware updates.

Also, these home security devices are usually controlled by an app. The user can check in and see the footage at any time of day or night, wherever they are. They can change the settings on the fly, capturing more or less footage at a whim. They can download and save the footage if they wish, so they have a permanent record.

This is obviously a gift to nosy neighbours. They can no longer be betrayed by a twitch of the net curtains; their interest in their neighbours’ private business will be completely unobserved. A quick alert will show them who is coming to visit whom, for how long they stay, perhaps their expression as they come and go.  They can capture the conversations of their neighbours using audio; they can see into gardens that are not overlooked in the traditional sense.

Also, this problem confined to snooping or creepy behaviour. The information that surveillance offers can be used to control and intimidate neighbours. The owner of the device not only knows more than he would without the device; he knows precisely how much he knows, while no one else does. No one can even tell what settings he has at any time, how far his surveillance extends, or whether he has really captured or stored what he claims.

It is therefore unsurprising that surveillance is often a feature of neighbour harassment, just like the ‘Ring Doorbell’ case.

What is the Law on Home Security Devices?

The actual legal principles in this recent court case were not new. Home Security Devices that only work in the home are not caught by data protection legislation. However, data protection law will govern home security devices that work in areas outside their owner’s property.

This does not mean that these devices are ‘illegal’. It means that the owner has become a data controller.

In this case, the Ring home security devices had captured personal data, and had done so outside the defendant’s property. The judge found, as she had to find, that the defendant was a data controller. At that point, she measured his conduct and the capability of his devices against the principles laid down in data protection legislation. As he had not even been close to complying, the judge granted injunctions against him and awarded damages to the claimant.

This does not mean that anyone else who has become a data controller has acted unlawfully. The case does leave many questions unanswered. In a case where someone has done more to comply with their legal obligations, how will the court decide when this is enough? How much weight will be given to a proper consultation with neighbours, the maintenance of records, and evidence they considered alternative and less intrusive technology? Assuming the justification for the cameras is security, will crime rates in the area have an impact on the court’s decision?

Unfortunately, these questions are likely to be unanswered for some time.

I Own a Home Security Device – What Should I Do?

On a practical level, if you own a home security device, you should take great care. The safest solution is to avoid recording any area outside your own property, as that will avoid you being treated as data controller altogether. Complying with data protection law is not much fun. By becoming data controllers, private individuals face obligations that were really designed for organisations.

However, if you do find you qualify as a data controller, consulting your neighbours is the next best thing to do. They are the most likely to be affected by your home security devices. Consulting with them (including giving them accurate information about the capabilities of your home security devices) is a vital step to complying with your legal obligations. Perhaps more importantly, it helps avoid a legal issue arising at all.

If neighbours do object, whether or not they initially agreed to the device being fitted, you may need to get specific legal advice on your situation. Likewise if you receive any subject access requests or complaints.

My Privacy is Affected by Home Security Devices – What Should I Do?

In this situation, the first thing to consider is speaking to the owner. Some people do not know what their devices can do, or do not realise how people are affected by them. They may be prepared to make changes that protect your privacy.

If the owner is not prepared to listen, or you are concerned about speaking to them, you may need to consider getting your own legal advice.

Should the Law be Reformed?

As this discussion has highlighted, using data protection law is not an obvious way to regulate private surveillance. In fact, the current law has many shortcomings, both for users and complainants.

Firstly, there is no effective recourse to the ICO, as exists with other data breaches. The ICO have indicated they will rarely get involved in cases involving home security devices. This may be sensible from a resource perspective, but it denies claimants any cost-effective remedy.

Second, data protection principles are hard to apply to domestic users. This creates uncertainty as to what is or is not acceptable. It will take multiple court cases to clarify the limits of what is and is not acceptable.

Third, evidence is often a major stumbling block. Manufacturers often focus on controlling the activation of devices in software. While this is not a problem for people using equipment in good faith, it makes it hard to control those that do not. claimants will not normally know the settings of the equipment they are complaining about. Even an inspection is useless, because the settings can be adjusted instantly on an app.

Finally, the law places the onus on the users of devices to ensure they are within the law. This has some logic to it, but it ignores the reason for the current issues. As devices become more capable, complying with the law becomes harder.

Nonetheless, there are currently no active proposals to change the law in this area. For the foreseeable future, private surveillance will be governed by data protection legislation.

Here to Help

If you need advice about privacy issues with home security devices, please get in touch with Nat Young, in our Dispute Resolution team.

This article is for information only and should not be relied upon as legal advice. If you need legal advice on the issues raised in this article, please contact a member of our team.