Making criminals of us all

The Information Commissioner thinks that countless households operating CCTV systems need to register this, and pay a £35 fee for doing so. If they don’t, they might be committing a crime. The Commissioner is probably mostly correct, but it’s a bit more complex than that, for reasons I’ll explain in this post.

Back in 2014, to the surprise of no one who had thought about the issues, the Court of Justice of the European Union (CJEU) held that use of domestic CCTV to capture footage of identifiable individuals in public areas could not attract the exemption at Article 3(2) of the European data protection directive for processing of personal data

by a natural person in the course of a purely personal or household activity

Any use of CCTV, said the CJEU, for the protection of a house or its occupiers but which also captures people in a public space is thus subject to the remaining provisions of the directive:

the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision

As some commentators pointed out at the time, the effect of this ruling was potentially to place not just users of domestic CCTV systems under the ambit of data protection law, but also, say, car drivers using dashcams, cyclists using helmetcams, and many other people using image recording devices in public for anything but their own domestic purposes.

Under the directive, and the UK Data Protection Act 1998, any data controller processing personal data without an exemption (such as the one for purely personal or household activity) must register the fact with the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). Failure to register in circumstances under which a data controller should register is a criminal offence punishable by a fine. There is a two-tier fee for making an entry in the ICO’s register, set at £35 for most data controllers, and £500 for larger ones.

For some time the ICO has advised corporate data controllers that if they use CCTV on their premises they will need to register:


But I recently noticed that the registration page itself had changed, and that there is now a separate button to register “household CCTV”


If one clicks that button one is taken to a page which informs that, indeed, a £35 fee is payable, and that the information provided will be published online 


There is a link to the ICO’s overarching privacy notice [ed. you’re going to have to tighten that up for GDPR, guys] but the only part of that notice which talks about the registration process relates only to “businesses”


Continuing the household CCTV registration process, one then gets to the main screen, which requires that the responsible person in the household identify themselves as data controller, and give either their household or email address for publication


What this all means is that it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

(In passing, there is a problem here: the pages and the process miss the point that for the registration to be required, the footage needs to be capturing images of identifiable individuals, otherwise no personal data is being processed, and data protection law is simply not engaged. What if someone has installed a “nest cam” in a nearby wooded area? Is ICO saying they are committing a criminal offence if they fail to register this? Also, what if the footage does capture identifiable individuals outside the boundaries of a household, but the footage is only taken for household, rather than crime reduction purposes? The logical conclusion of the ICO pages here is that anyone who takes video footage anywhere outside their home must register, which contradicts their guidance elsewhere.)

What I find particularly surprising about all this is that, although fundamentally it is correct as a matter of law (following the Ryneš decision by the CJEU), I have seen no publicity from the ICO about this pretty enormous policy change. Imagine how many households potentially *should* register, and how many won’t? And, therefore, how many the ICO is implying are committing a criminal offence?

And one thing that is really puzzling me is why this change, now? The CJEU ruling was thirty months ago, and in another eleven months, European data protection law will change, removing – in the UK also – the requirement to register in these circumstances. If it was so important for the ICO to effect these changes before then, why keep it quiet?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

9 Comments

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized

9 responses to “Making criminals of us all

  1. As above

    Well spotted!

    You can almost run the same argument about Lindqvist which means that anyone posting photos publicly on Facebook is likely to be not purely personal. Such Facebook users should register also with the ICO and stump up £35 (in theory).

    I think the CCTV notification fee is a way of increasing revenue for the pre-GDPR implementation work the ICO has to do (as new notification fees under the GDPR – estimated to be £1,000+ only take effect when the powers in the Digital Economy Act are used – and that won’t be until the GDPR comes in; see http://amberhawk.typepad.com/amberhawk/2017/04/large-business-registration-fee-could-increase-to-7k-per-year-as-a-result-of-the-gdpr.html)

    CP

    • Agree on the Lindqvist point, and I previously blogged about the fact that ICO correctly agreed with me that most bloggers – like me – should notify, although I haven’t!

      But if ICO really are doing this to boost revenue, why are they not advertising it?

  2. Martin

    Hi Jon,
    As an individual who has had a burglary in the past few weeks, I rang the local constabulary who let me know that because of budget restraints they would only come and investigate if the burglars had potentially left any ‘prints’ or had left anything behind belonging to them. They further said that if I had good home CCTV images they would be interested in seeing them. I stated that I had no CCTV and asked if this was a common with homeowners and the answer was that very many people now have CCTV. I fully agree with your point about where CCTV monitors public places the DC should register but judging from my experience, the police are encouraging its use.

    MG

  3. Dan

    Has there been any clarification as to whether dashboard camera users have to register? For me, that is far more intrusive than a stationary camera. Would the public register include the Reg Plate of the vehicle?

  4. Pingback: Making even more criminals | informationrightsandwrongs

  5. Lynn Evans

    I suspect the reason the ICO is introducing this now is because of the replacement charging regime brought in via amends to the DPA in the Digital Economy Act (which presumably will reappear in the Data Protection Bill). Notification may be ending but charging is not.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s