Neil Brown comments on a recent decision of the CJEU on the application of the data protection framework to everyone’s life online.
The CJEU has ruled in the case of Buivids (C–345/17) that someone who records video with identifiable people in the background and uploads that video to an online platform allowing unrestricted access by third parties falls within the scope of the data protection framework, and outside the domestic purposes exemption.
The core facts were that a private individual, Mr Buivids, made a video recording in a police station, while he was making a statement in the context of administrative proceedings which had been brought against him. That video included footage of police officers going about their duties in the police station.
Mr Buivids uploaded the footage to YouTube which, the CJEU helpfully notes “is an internet site that allows users to publish, share and watch videos”.
There were two questions before the court:
• Was the filming and uploading within the scope of the data protection directive; and
• Could this activity be said to have been carried out " solely for journalistic purposes”.
Question 1: was the activity within the scope of the data protection directive?
The court found that, “it is possible to see and hear the police officers in the video in question, with the result that it must be held that those recorded images of persons constitute personal data".
Moreover, "a video recording of persons … is stored on a continuous recording device, namely the memory of that camera. Thus, such a recording constitutes a processing of personal data by automatic means."
Similarly, "the act of publishing a video recording, such as the video in question, which contains personal data, on a video website on which users can send, watch and share videos, constitutes processing of those data wholly or partly by automatic means".
So far, nothing overly surprising.
The Court’s decision as to whether the individual’s activities were “by a natural person in the course of a purely personal or household activity" is, however, perhaps more of a surprise.
The Court has previously applied the “domestic purposes” exemption to someone’s home video recording kit, in the case of Rynes (C-212/13). Despite acknowledging that the purpose of the system was for “protecting the property, health and life of the home owners”, because the camera system “also monitor[ed] a public space", it did not amount to the processing of data in the course of a purely personal or household activity. Processing which “even partially” covered a public space fell outside the scope of that exemption.
In my view, the Court erred in reaching that conclusion, confusing the subject of the processing with the purpose of the processing.
Unfortunately, the Court extended its reasoning, holding in Buivids that “since Mr Buivids published the video in question on a video website on which users can send, watch and share videos, without restricting access to that video, thereby permitting access to personal data to an indefinite number of people, the processing of personal data at issue in the main proceedings does not come within the context of purely personal or household activities”.
The focus of the decision appears to be on the scope of the lack of access controls put in place on YouTube, and the fact that the video was thus visible to “an indefinite number of people”.
As with Rynes, this seems to me to be an illogical conclusion, focussing on the audience with whom the data were made available, rather than the purposes of the processing. In reaching its conclusion, the court appears to hold the view that sharing a video freely online is inconsistent with the concept of a “personal … activity”, despite the number of people doing exactly that in sharing holiday photos or videos on social networking sites every day.
Question 2: the journalistic exemption?
On whether the man was entitled to rely on the journalistic exemption, the court refused to be drawn:
"In the light of the foregoing considerations, the answer to the second question is that Article 9 of Directive 95/46 must be interpreted as meaning that factual circumstances such as those of the case in the main proceedings, that is to say, the video recording of police officers in a police station, while a statement is being made, and the publication of that recorded video on a video website, on which users can send, watch and share videos, may constitute a processing of personal data solely for journalistic purposes, within the meaning of that provision, in so far as it is apparent from that video that the sole object of that recording and publication thereof is the disclosure of information, opinions or ideas to the public, this being a matter which it is for the referring court to determine."
Where does that leave us?
In concluding that recording and sharing this video on YouTube fell outside the scope of the domestic purposes exemption, on the basis that it contained the personal data of third parties, and was available online to an unrestricted number of viewers, the Court’s decision seems to me to be at odds with the very real hobbyist and personal activities of all number of users of today’s highly popular online services.
The impact of being within the data protection framework is substantial. Not only would the individual need to register with, or notify, their national supervisory authority, in line with local legal requirements, they would need to provide appropriate privacy information to everyone on the video, respond to access requests or other requests from data subjects for the exercise of their rights, and fulfil all the other responsibilities of a controller.
If someone has a dashcam in their car, or wears a helmet camera when they go for a bike ride, the resulting footage will contain the personal data of many tens, if not hundreds, of people. It is clearly impractical to communicate privacy information to all of them.
Similarly impractical, the controller would need to consider the location of the services onto which they were uploading the footage, and ensuring that they had an appropriate data processing agreement in place, possibly with the addition of model clauses or other appropriate safeguards where the processor was outside the EEA.
We can probably distinguish family videos pretty easily, still, but how far would that stretch?
A photo of a group of friends — do you now need to tell them the contents of a privacy notice before you tweet it, unless your account is locked down? Or check the Data Protection (Charges and Information) Regulations 2018, to see if you need to pay the ICO first?
Is the Court really suggesting that private individuals, perhaps even children given a helmet camera for Christmas, should be subject to the full force of the data protection framework, for doing something as common and mundane as putting the resulting footage online? Seemingly so.
Personally, over the last few months, I have seen a fair few “GDPR experts” (lawyers and others) struggling with the GDPR. It seems unimaginable that the framework was intended to apply to your average consumer, expecting them to understand and apply it to their everyday activities.
Some will, no doubt, argue that a highly restrictive interpretation of the domestic purposes exemption is necessary to protect the fundamental rights or privacy or protection of personal data. But in finding that such a commonplace action falls within the scope of the data protection framework, turning everyday drivers, cyclists, perhaps even holiday photographers, into regulated controllers, the Court’s decision seems inconsistent with modern day life.
This decision is not going to stop people posting footage or photos (with others in the background) on the Internet. Nor will it be possible for regulators to take enforcement action against every infringer. The outcome, it seems, must inevitably be selective enforcement: that everyone who posts a video from their bike or their car does so under the shadow that, while enforcement is unlikely, it is possible.
Commenting on Twitter, Luis Villa (@luis_in_brief) suggested that "this will go unenforced against the mass public so that only the conscientious and law abiding are inconvenienced, which is almost maximally bad outcome."
Graham Smith’s (@cyberleagle) apt take was along the same lines: "[vague, catch-all, laws] offend against the legality principle. Delegation of enforcement policy risks arbitrary and discriminatory application."
While it may transpire that, in this case, the individual is entitled to rely on the journalistic exemption, as a matter of public policy, it seems unrealistic to expect private individuals, going about their daily lives, to be equipped to undertake this kind of assessment.
Life will, of course, move on. But perhaps tomorrow’s hobbyist photographers or ride-recording cyclists will go about their activities, overshadowed by the looming spectre of potential enforcement for breaches of the GDPR, about which they, quite reasonably, know nothing.
Neil Brown is Director of decoded:Legal, a telecoms, technology and Internet law firm. @neil_neilzone