02 December 2021

Developments in technology have enabled us to shop, work and even answer the door with a simple tap on a digital screen. These advancements now form an integral part of our daily activities, but they also present new challenges and legal consequences in relation to data protection rights.

The judgment given in a recent case involving the use of a Ring Doorbell found the processing of personal data to be “problematic” and ultimately a breach of the Data Protection Act 2018. This follows the decision of a Scottish court in Woolley v Akbar where BTO (Paul Motion) won the first domestic CCTV case.

In Fairhurst v Woodward, Dr Fairhurst raised an action against her neighbour Mr Woodward as a result of his use of security cameras and lights at various locations at and around his property. It was established that the images and audio files of Dr Fairhurst captured on these devices were personal data, and as such, the transmission to and retention of these images and sounds in Mr Woodward’s devices, or to whomever they were sent, were classed as the processing of personal data within the meaning of the UK General Data Protection Regulation (“GDPR”). Therefore, the question for the court was whether Mr Woodward, as a data controller, had processed such personal data lawfully in accordance with the principles set out in Article 5(1) of the UK GDPR.

3 Principles relating to processing of Personal Data

Mr Woodward was found to have breached the first principle – to process personal data lawfully, fairly and in a transparent manner – because he “sought to actively mislead” Dr Fairhurst about how and whether the cameras operated and what they captured.

The second principle limits the processing of personal data to specified, explicit and legitimate purposes. Judge Melissa Clarke found that Mr Woodward had again sought to mislead Dr Fairhurst in relation to this principle. Mr Woodward claimed that the camera on his shed only captured his car parking spaces and the camera on his driveway did not collect her personal data at all when, in reality, both cameras did capture and collect Dr Fairhurst’s personal data. Mr Woodward was thus held to have breached the second principle.

The data minimisation principle, the third principle, requires personal data to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Judge Clarke found that the audio range of certain devices captured well beyond the range of video recording and, therefore, could not be said to be reasonable for the purpose of crime prevention (as claimed by Mr Woodward). For all these reasons Dr Fairhurst was successful in her claim that Mr Woodward breached the provisions of the Data Protection Act 2018 and the UK GDPR.

This case highlights how easy it is to become a data controller and the importance of being aware of how your actions can affect the data protection rights of others.

Lynn Richmond, Partner, Certified Specialist in Cyber Security and Accredited Specialist in IP: lyr@bto.co.uk / 0131 222 2939
Ibinabo David-West, Trainee Solicitor: ida@bto.co.uk / 0141 221 8012