CJEU's CCTV ruling: guidance on legitimate interests processing
Case C-708/18 TK v Asociaţia de Proprietari bloc M5A-ScaraA EU:C:2019:1064
When can you rely on the legitimate interests basis for processing personal data?
The key takeaway
Remember to carry out the three-stage test, namely the “purpose test”, the “necessity test” and the “balancing test”, when weighing up the processing of personal data on the legitimate interests basis. Also, don’t forget to assess whether alternative means are available to meet the same objective of the processing and to apply the condition only in so far as is strictly necessary,
The co-owners of a Romanian apartment block installed CCTV cameras in the common parts of the building. TK, who owned an apartment in the building, objected and brought an action seeking the removal of the cameras on the grounds that the cameras amounted to an infringement of the right to respect for private life.
The Romanian court decided to refer the case to the CJEU for guidance on whether Articles 6(1)(c) and 7(f) of the Data Protection Directive (95/46/EC), read in light of Articles 7 and 8 of the EU Charter of Fundamental Rights, precluded national law from allowing installation of a system of video surveillance in the common parts of a residential building, for the purposes of pursuing legitimate interests in ensuring the safety and protection of individuals and property, without the data subjects’ consent.
The CJEU observed that surveillance in the form of a video recording of persons, which is stored in a continuous recording device (ie the hard disk drive) constituted automatic processing for the purposes of Article 3(1) of the Directive. Such processing must comply, first with the principles relating to data quality (set out in Article 6) and also with one of the criteria for making processing legitimate (listed in Article 7).
The relevant criterion here was the legitimate interest basis for processing personal data. The court identified three cumulative conditions needed for processing of personal data to be lawful under the provision:
- The pursuit of a legitimate interest by the data controller or by a third party or parties to whom the data is disclosed
- The need to process personal data for the purposes of the legitimate interest pursued, and
- A balancing exercise, namely the fundamental rights and freedoms of the person concerned by the data protection do not take precedence over the legitimate interest pursued.
The CJEU re-emphasised that the legitimate interests condition requires processing to apply only so far as “strictly necessary”. This means the objective “cannot reasonably be as effectively achieved by other means less restrictive of the fundamental freedoms.” The CJEU turned to the data minimisation principle (under Article 6(1)(c)). Here, alternative measures were initially put in place but proved insufficient. For example, the installation of an intercom/magnetic card entry system had failed to prevent damage being caused to the apartment block. Additionally, the video surveillance device was limited only to the common parts of the building and the approach to it. The CJEU further considered whether it was necessary for the CCTV system to run constantly, or only at certain times of the day and night.
In carrying out the fact specific balancing exercise, the CJEU stated that factors such as the nature of the personal data at issue, the specific methods of processing involved, the number of persons having access to the data and the methods of accessing the data need to be considered. Additionally, the data subject’s reasonable expectations of their data being further processed needs to be balanced against the legitimate interests of the building owners in protecting the property, health and lives of the building’s occupants.
The CJEU concluded that the Directive, read in the light of the Charter, did not preclude national law authorising the installation of a video surveillance system, for the purposes of pursuing legitimate interests in ensuring the safety and protection of individuals and property, without the consent of the data subjects. The processing of this data satisfied the conditions in Article 7(F).
Why is this important?
The case provides a rare analysis of legitimate interest processing, and re-states the three test rule formed in Case C-13/16 Rigas satiskme EU:C:2017:336, namely the “purpose test”, the “necessity test” and the “balancing test”.
Any practical tips?
Consider whether there are alternative ways of meeting the same objective of the processing. Here the fact that the co-owners of the apartment building had tried other means to combat the damage to their property (eg the previous, failed installation of intercom/magnetic card entry) was of particular importance to the court. And remember to apply the condition in so far as is strictly necessary (eg with CCTV, consider whether all of a building needs to be recorded, or whether there are specific times that need to be recorded only). Ensure also that the data is only accessible to those necessary to satisfy the legitimate interests conditions.