Court awards damages for breach of Data Protection Act where CCTV coverage exceeded lawful basis

By:

The case of Dr Mary Fairhurst -v- Mr Jon Woodard illustrates the risks associated with the installation of security cameras at property and why it is vital to ensure a lawful basis for capturing and processing such images exists.

Background

Dr Fairhurst brought a claim against Mr Woodard for invasion of her privacy for (1) harassment; (2) nuisance; and, (3) breach of the Data Protection Act 2018 (DPA). It was alleged that those acts were committed by Mr Woodard’s liberal use of security cameras and lights around his property. Dr Fairhurst (the Claimant) was a neighbour. Both houses backed onto a shared car park and the Claimant’s house backed onto a parking space owned by Mr Woodard (the Defendant). The Defendant’s house backed onto the Claimant’s parking space. The Defendant mounted a floodlight and sensor and a spotlight camera on his shed, facing the car park. He placed another camera at the front of his property, at the side of one of his properties, and (for some reason) attached one to someone else’s house too.

Applicability of data protection law

Recital 18 of the General Data Protection Act 2016/279 (GDPR) makes it clear that the GDPR does not apply to personal or household activity and Information Commissioner’s Office guidance1 directly broaches the use of CCTV and states that data protection law does not apply to capturing images from within the boundary of your property but does if it goes beyond the border. In this case, it was an agreed fact that the data protection legislation applied so the judgment does not consider the issue in any great detail.

Breaches of data protection law

The Judge drew the following conclusions about the data protection elements:

Given the extensive findings that I have made relating to the manner in which the Defendant sought to actively mislead the Claimant about how and whether the Cameras operated and what they captured I am satisfied that the Defendant has breached: the first principle as he cannot be said to have processed data fairly or in a transparent manner; and the second principle, as he has not collected data for a specified or explicit purpose but rather sought to mislead the Claimant (i) that the Shed Camera was focussed only on his car parking spaces when I am satisfied that on many occasions it had a very wide field of view and captured the Claimant’s personal data as she drove in and out of the car park; and (ii) that the Driveway Camera was not collecting her personal data at all, when I am satisfied that it was.

It was found that, while the Defendant may have had justification for cameras for crime prevention reasons2, the collection of data outside his property boundaries went beyond that justification and so was not necessary. In the alternative, were the Defendant able to argue that this “cross-border processing” was necessary, the balancing act between his purposes for processing and the Claimant’s privacy rights swung in her favour and this was too intrusive.

Outcome

The Claimant’s claims in harassment and breach of the DPA succeeded. The claim for nuisance caused by loss of privacy failed, on the basis that case law3 established that “mere overlooking from one property to another is not capable of giving rise to a cause of action in private nuisance” and also because the impact of the cameras was found not to have been foreseeable by the Defendant.

The judgment ends fairly abruptly, on the basis that quantum – the level of compensation to be awarded – was to be dealt with separately. It is understood from media reports that the Defendant is seeking GBP100 thousand in damages. This may be rather optimistic.

Recommendations

Whilst only County Court level and therefore not binding, the Judgment is a helpful reminder for both business and property owners to ensure that any security cameras are installed in accordance with all legal requirements


1 Domestic CCTV systems - guidance for people using CCTV.
2
 The Defendant sought to rely on Article 6(1)(f) of the GDPR – legitimate interests (of crime prevention) – as his lawful basis of processing.
3
 Fearn and Ors v Board of Trustees of the Tate Gallery [2020] EWCA Civ 104.