IP & IT Bytes: Data Protection Directive: CCTV surveillance

06 February 2015

The European Court of Justice (ECJ) has held that the Data Protection Directive (95/46/EC) (the Directive) applies to CCTV installed by a person on his family home for crime prevention purposes and directed towards the public footpath and neighbouring house.


The Directive imposes broad obligations on those who collect personal data and confers broad rights on individuals about whom data are collected. Personal data is defined as any information relating to an identified or identifiable natural person (Article 2(a), the Directive) (Article 2(a)). The Directive does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (Article 3(2), the Directive) (Article 3(2)).


In response to attacks on his property, R installed a CCTV camera system at his family home, to protect his property, health and the lives of his family and himself. The CCTV recorded the entrance to his home, the public footpath and the entrance to the house opposite. The CCTV recorded on a hard disk drive visual images, but no audio sound, on a continuous loop. Only R had direct access to the CCTV system and the data.

During one attack on R's home, the CCTV made it possible to identity two suspects. R handed the recording to the police and this evidence was relied on in the criminal proceedings that followed.

One of the suspects sought clarification from the Office for Personal Data Protection in the Czech Republic (the office) as to whether or not R’s use of the CCTV was lawful under Czech law. The office found that R had infringed the relevant law as follows:

  • As a data controller, he had used the CCTV to collect, without the data subject’s consent, the personal data of people on the public footpath or entering the house opposite.
  • He had not provided a privacy notice to inform people that: the CCTV was in place and was processing their personal data; the extent and purpose of that processing; by whom and by what means the personal data would be processed; or who would have access to the personal data.
  • He had not notified the office that he was processing personal data.

R's challenge to the office's decision, on the basis that his use of the CCTV was exempt under Article 3(2), was dismissed. R appealed to the Supreme Administrative Court of the Czech Republic, which referred the question to the ECJ for a preliminary ruling.


The ECJ held that for the purposes of the exemption for purely personal or household activity in Article 3(2), CCTV installed by an individual on his family home to protect the property, health and life of the home owners, but which also monitors a public space, does not amount to processing of personal data in the course of a purely personal or household activity and, therefore, falls within the scope of the Directive.

The image of a person recorded on a camera constitutes personal data within the meaning of Article 2(a) because it makes it possible to identify the person concerned. Video recording of individuals on a continuous recording device on a hard disk drive constitutes, under Article 3(1) of the Directive, the automatic processing of data. The processing of personal data falls within the Article 3(2) exemption only where it is carried out in the purely personal or household setting of the person who is processing the data. As the CCTV surveillance covered (or even partially covered), a public space and was directed outwards from the private setting, it could not be regarded as an activity that is a purely personal or household activity.

The ECJ noted that, in certain circumstances, the exemptions and restrictions within the Directive, in particular the pre-conditions to processing, make it possible to take into account the legitimate interests of the data controller (such as the protection of his property, his health and the life of his family and himself), which may permit lawful processing.


This decision may be seen as part of a series of cases strengthening individuals’ rights, such as Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12; see News brief “Google decision: the right to be forgotten”, www.practicallaw.com/3-568-9605). The ruling has significant implications for the way that CCTV can be used at home, if the CCTV even partially records a public space. The UK Information Commissioner has indicated that it will update its code of practice on CCTV and other surveillance technologies in the light of the judgment.

The decision may also have broader implications for the way that other recording devices may be used in public spaces; for example, drones, body-worn video and wearable computing such as watches or glasses. It is unclear if the ECJ would have reached the same conclusion if the device in question had been a camera rather than a continuous video recording. 

Case: František Ryneš v Úřad pro ochranu osobních údajů C-212/13.

First published in the December 2014 issue of PLC Magazine and reproduced with the kind permission of the publishers. Subscription enquiries 020 7202 1200.