This morning, the Court of Justice of the EU handed down a judgment that has important implications for the processing of personal data by private persons. In the Czech case of Ryneš v Úřad pro ochranu osobních údajů the Court established that the European Data Protection Directive applies to a video recording made with a surveillance camera installed by a person on his family home and directed towards the public footpath. It thus clarified to what extent horizontal legal relationships among natural persons fall within the sphere of scrutiny of the Directive.
The case concerned Mr Ryneš, whose family and home had been subject to attacks by unknown individuals between 2005 to 2007. In response to the attacks, he installed a surveillance camera under the eaves of his home, which recorded the entrance to his home, the public footpath and the entrance to the house opposite. A video recording made it possible for the police to identify two people who attacked Ryneš's home in October 2007, breaking a window by a shot from a catapult. In the criminal proceedings against the two suspects the question arose whether the Data Protection Directive applied to Ryneš's use of the camera. This question is of relevance for private legal relationships, since the 'processing of data in the course of a purely personal or household activity' is excluded from the scope of the Directive and, therefore, not subject to the rules on data protection laid down in this instrument.
The CJEU reaches the conclusion that Mr Ryneš's use of the surveillance camera cannot be included in the exemption and, therefore, falls within the scope of the Directive:
'The second indent of Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.'
According to the Court, the use of the camera does not qualify as 'processing of data in the course of a purely personal or household activity', since this provision should be narrowly interpreted:
'27. As is clear from Article 1 of that directive and recital 10 thereto, Directive 95/46 is intended to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data (see Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 66)
28. In that connection, it should be noted that, according to settled case-law, the protection of the fundamental right to private life guaranteed under Article 7 of the Charter of Fundamental Rights of the European Union (‘the Charter’) requires that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (see IPI, C‑473/12, EU:C:2013:715, paragraph 39, and Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52).
29. Since the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68), the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed.'
Natural persons can, therefore, not easily escape scrutiny of data processing under the Directive. Only such activities as correspondence or keeping an address book are exempted. Camera surveillance, insofar as it, even partially, covers a public space is 'directed outwards from the private setting of the person processing the data in that manner' and is therefore not excluded from the Directive's scope.
Importantly, the Court adds that the national court, when assessing the data processing, should take into account legitimate interests pursued by the data controller (in casu, Mr Ryneš) in protecting the property, health and life of his family and himself. Thus, it is up to the national court to balance the interests of the parties within the legal framework set out by the Data Protection Directive. An interesting example of both Europeanisation and constitutionalisation of private legal relationships.