This article was first published on Lexis®PSL Information Law on 28 January 2020 with the caveat that the views expressed by Legal Analysis interviewees are not necessarily those of the proprietor.
Click for a free trial of Lexis®PSL
Information Law analysis: The Court of Justice recently shed some light on interpreting so-called ‘legitimate interests’ under data protection rules in the context of video surveillance/CCTV with regard to Romanian legal proceedings. The Court of Justice ruled that the relevant provisions of both Directive 95/46/EC (the Data Protection Directive) and the Charter of Fundamental Rights did not preclude national rules which authorise the installation of a video surveillance system, such as the system in the dispute in question, installed in the common parts of a residential building, for the purposes of pursuing ‘legitimate interests’ of ensuring the safety and protection of individuals and property, without the consent of the data subjects, if the processing of personal data carried out by means of the video surveillance system at issue fulfils the conditions laid down in the Data Protection Directive concerning ‘legitimate interests’.
André Bywater, partner at Cordery, considers the ruling.
TK v Asociaţia de Proprietari bloc M5A-ScaraA, Case C‑708/18
What are the practical implications of this case?
While this case was decided under the previous EU data protection regime there is a good chance that in general terms at least, similar reasoning and conclusions would apply under the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 but do ensure that you obtain legal advice on these issues (as regards GDPR, the UK Data Protection Act 2018, Information Commissioner’s Office (ICO) Guidance etc).
If you install a CCTV/video surveillance system and seek to justify your lawful basis for processing under GDPR on the basis of ‘legitimate interests’, you will need to ensure that you do a full and thorough ‘legitimate interests’ assessment; also make sure that this is documented.
What was the background?
The Romanian legislation in question concerned the national law implementing the EU rules that preceded the EU GDPR, ie the Data Protection Directive, along with a separate set of specific rules concerning personal data processing and video surveillance systems.
A dispute escalated into legal proceedings between a certain ‘TK’ and the Asociaţia de Proprietari bloc M5A-ScaraA (Association of co-owners of building M5A, staircase A, ‘the association of co-owners’) where TK applied for a court order to require the association of co-owners to take out of operation the building’s video surveillance system and remove the cameras installed in the common parts of the building.
According to the Bucharest Regional Court the video surveillance system at issue did ‘not seem to have been used in a manner or for a purpose not corresponding to the stated objective of the association of co-owners of protecting the life, physical integrity or health of the data subjects, namely the co-owners of the building in which that system was installed.’ The Bucharest Regional Court therefore made a request for a preliminary ruling to the Court of Justice asking a series of questions concerning the interpretation of the Data Protection Directive and also the (EU) Charter of Fundamental Rights, where the focus was very much on ‘legitimate interests’.
What did the court decide?
The Court of Justice ruled that the relevant provisions of both the Data Protection Directive and the Charter of Fundamental Rights did not preclude national rules which authorise the installation of a video surveillance system, such as the system in the dispute in question, installed in the common parts of a residential building, for the purposes of pursuing ‘legitimate interests’ of ensuring the safety and protection of individuals and property, without the consent of the data subjects, if the processing of personal data carried out by means of the video surveillance system at issue fulfils the conditions laid down in the Data Protection Directive concerning ‘legitimate interests’. Although, in line with preliminary ruling procedure, the Court of Justice left it for the Bucharest Regional Court to determine whether the ‘legitimate interests’ conditions had been met, in arriving at its conclusion the Court of Justice set out some interesting detailed points about ‘legitimate interests’ concerning the issues at hand, including the following:
- by way of reminder, three cumulative conditions apply in order for the processing of personal data to be lawful, namely—the pursuit of a ‘legitimate interest’ by the data controller or by the third party or parties to whom the data are disclosed; the need to process personal data for the purposes of the ‘legitimate interests’ pursued; and, that the fundamental rights and freedoms of the person concerned do not take precedence over the legitimate interest pursued
- in this case, the objective which the data controller was seeking to achieve when installing a video surveillance system such as that at issue, ie protecting the property, health and life of the co-owners of a building, was likely to be characterised as a ‘legitimate interest’, and so the first abovementioned condition appeared in principle to be fulfilled
- the pursuit of ‘legitimate interests’ justifying that processing ‘must be present and effective as at the date of the data processing and must not be hypothetical at that date. It cannot, however, be necessarily required, at the time of examining all the circumstances of the case, that the safety of property and individuals was previously compromised’. In the case in question, the condition relating to the existence of a ‘present and effective’ interest seems in any event to be fulfilled as the Bucharest Regional Court had noted that:
‘thefts, burglaries and acts of vandalism had occurred before the video surveillance system was installed and that was despite the previous installation, in the entrance to the building, of a security system comprising an intercom/magnetic card entry’
- as regards the second condition, this must be examined in conjunction with the so-called ‘data minimisation’ principle. Here, the proportionality of the processing of data at issue seem to have been taken into account in the case in question, eg the video surveillance device was limited only to the common parts of the building in co-ownership and the approach to it. But ‘the proportionality of the data processing by a video surveillance device must be assessed by taking into account the specific methods of installing and operating that device.’ So, the:
‘controller must examine, for example, whether it is sufficient that the video surveillance operates only at night or outside normal working hours, and block or obscure the images taken in areas where surveillance is unnecessary’
- as regards the third condition, which necessitates a balancing of the opposing rights and interests concerned, ‘account must be taken, inter alia, of the nature of the personal data at issue, in particular of the potentially sensitive nature of those data, and of the nature and specific methods of processing the data at issue, in particular of the number of persons having access to those data and the methods of accessing them.’ Further,
‘[t]he data subject’s reasonable expectations that his or her personal data will not be processed when, in the circumstance of the case, that person cannot reasonably expect further processing of those data, are also relevant for the purposes of the balancing exercise.’
- Court: European Court of Justice
- Judge: A Prechal, L S Rossi, J Malenovský, F Biltgen and N Wahl
- Date: 11 December 2019
Interviewed by Alex Heshmaty.
|André Bywater, Cordery,
Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1785|