What do people use dashcams and cameras on cycle helmets for? I’m sure that some (especially in the latter group) use them to capture footage of interesting journeys they have made. But a considerable proportion of users – surely – use them in the event that the user is involved in a road traffic incident. Indeed the “National Dash Cam Safety Portal”, although provided by a commercial organisation selling cameras, is operated in partnership with, and enables upload of footage to, police forces in England and Wales, and its FAQ clearly inform people of the evidential nature and implications of such footage. And a recent piece on the “Honest John” website suggests that one in four dashcam submissions result in a prosecution. Whatever the intentions were of the people who used those dashcams to record that footage, it is undeniable that the outcome of the processing of personal data involved had a significant effect on the rights of those whose data was processed.
Article 2 of the UK GDPR says that the law’s scope does not extend to processing of personal data “by a natural person in the course of a purely personal or household activity”, and the case law of the Court of Justice of the European Union (at least insofar as such case law decided before 1 January 2021 is retained domestic law – unless departed from by the Court of Appeal or the Supreme Court) makes clear that use of recording cameras which capture footage containing personal data outwith the orbit of one’s property cannot claim this “purely personal or household activity” exemption (see, in particular the Ryneš case).
Yet the position taken by the authorities in the UK (primarily by the Information Commissioner’s Office (ICO)) largely fails to address the difficult issues arising. Because if the use of dashcams and helmet cams, when they result in the processing of personal data which is not exempt under under the “purely personal and household exemption, is subject to data protection law, then those operating them are, in principle at least, obliged to comply with all the relevant provisions of the UK GDPR, including: compliance with the Article 5 principles; providing Article 13 notices to data subjects; complying with data subject request for access, erasure, etc. (under Articles 15, 17).
But the ICO, whose CCTV guidance deals well with the issues to the extent that domestic CCTV is in issue, implies that use of dashcams etc, except in a work context, is not subject to the UK GDPR. For instance, its FAQs on registering as a data protection fee payer say “the use of the dashcam in or on your vehicle for work purposes will not be considered as ‘domestic’ and therefore not exempt from data protection laws”. It is very difficult to reconcile the ICO’s position here with the case law as exemplified in Ryneš.
And what raises interesting questions for me is the evidential status of this dashcam and helmet cam footage, when used in prosecutions. Although English law has traditionally tended to take the approach that evidence should be admitted where it is relevant, rather than excluding it on the grounds that it has been improperly obtained (the latter being a species of the US “fruit of the poisoned tree” doctrine), it is surely better for a court not to be faced with a situation where evidence may have been obtained in circumstances involving illegality.
If this was a passing issue, perhaps there would not need to be too much concern. However, it is clear that use of mobile video recording devices (and use of footage in criminal, and indeed civil, proceedings) is increasing and will continue to do so, at the same time as access to such devices, and the possibility for their covert or surreptitious use, also increases. It is, no doubt, a tremendously tricky area to regulate, or event to contemplate regulating, but that is no reason for the ICO to duck the issue.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.