When a “Ring” doorbell lands you with a data fine

The question

How careful do you need to be when installing a household security system to avoid breaching data regulations?

The key takeaway

Balancing the owner of a household security system’s legitimate interest in preventing crime against his neighbour’s privacy rights, it was found that the processing of personal data captured by a security system, including particular audio data, was in breach of the DPA 2018 and UK GDPR.

The background

Mr Woodard (perhaps unsurprisingly, an audio-visual technician) installed a security system comprising a floodlight, sensor and a series of Ring products (as now manufactured by Amazon). He invited his neighbour, Dr Fairhurst, round to see his home renovations. Upon completing the tour, Dr Fairhurst was “alarmed appalled and shocked” to see that her neighbour’s renovations included two spotlight cameras and a doorbell system. Together, these provided video and audio surveillance capabilities which, once recorded, were uploaded to cloud storage hosted by Amazon. The disgruntled neighbour took issue with Mr Woodard’s range of recording devices, arguing that it unnecessarily and unjustifiably invaded her privacy which amounted to a nuisance, breach of the DPA 2018 and constituted a course of conduct designed to harass her contrary to the Protection from Harassment Act 1997. This was primarily due to the field and depth of view of the cameras, which captured images of Dr Fairhurst’s house and garden, as well as the sensitivity of the microphone.

The decision

Whilst the nuisance claim was dismissed, it was found that the security system constituted a breach of the DPA 2018, UK GDPR and also constituted harassment. 

It was common ground that the cameras collected personal data and that the transmission to the defendant’s phone or computer or other device, the retention of any images or sound on such a device and their onward transmission to the cloud or police were deemed as “processing” under the UK GDPR. The owner of the security system was a data controller pursuant to the Regulations. Subsequently, the key question was whether the owner of the system has processed such personal data lawfully and in accordance with the principles set out in Article 5(1). 

It was found the owner of the system had not processed the data fairly or in a transparent manner, nor had he collected data for a specified or explicit purpose and as such, was non-compliant with the applicable regulations. This was due to the extent and range of data captured meant that personal data was captured from people who are not even aware the devices exist, or that they record and process personal data.

Why is this important?

Whilst set in the context of a neighbour at war with a keen audio-visual professional, the case is a timely reminder of the stringency imposed by the UK GDPR and DPA 2018 and the rigours of the underlying data protection principles. Specifically, the data minimisation principle was put under the spotlight when examining the “audio personal data” in particular: personal data “shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

Further, the case highlights how well-worn data protection principles apply to the non-commercial use of home security devices that capture and temporarily store personal data.

Any practical tips?

Ultimately, the learnings from this case can be boiled down to one simple take-away: when contemplating data protection in any context but specifically the processing of personal data, one must ensure one does not go above and beyond what is strictly necessary to fulfil the essential purpose of such processing.

On domestic surveillance systems specifically, the ICO provided guidance which stated “There are many domestic CCTV systems on the market to help you protect your home. If you’re thinking of using one, you need to make sure you do so in a way that respects other people’s privacy”.