The Data Protection Directive (95/46/EEC) applies to a video recording made with a surveillance camera installed by a person on his family home and directed towards the public footpath. Nevertheless, under the Directive, a person has a legitimate interest in protecting the property, health and life of his family and himself.
Under the Data Protection Directive, it is not as a general rule permitted to process personal data unless the data subject has given his consent. However, the directive does not apply to the processing of data carried out by a natural person in the course of a purely personal or household activity.
Mr Ryneš and his family were subjected to a number of attacks by unknown persons, and on several occasions the windows of their house were broken. In response to those attacks, Mr Ryneš installed a surveillance camera on the family home, which filmed the entrance, public footpath and the entrance to the house opposite.
During the night of 6 to 7 October 2007, a window of the family home was broken by a shot from a catapult. The recordings made by the surveillance camera were handed over to the police and made it possible to identify two suspects, who were subsequently prosecuted before the criminal courts.
However, one of the suspects disputed before the Czech Office for the Protection of Personal Data the legality of the processing of the data recorded by Mr Ryneš’ surveillance camera. The Office found that Mr Ryneš had in fact infringed the personal data protection rules and fined him. In that connection, one of the points made by the Office was that the data on the suspect had been recorded without his consent while he was on the public footpath in front of M. Ryneš’ house.
The Nejvyšší správní soud (Supreme Administrative Court, Czech Republic), hearing the appeal in the dispute between Mr Ryneš and the Office, asks the Court of Justice whether the recording made by Mr Ryneš for the purposes of protecting the life, health and property of his family and himself (that is to say, the recording of personal data relating to the individuals launching an attack on his house from the public footpath) constitutes a category of data processing that is not covered by the directive, on the grounds that that recording was made by a natural person in the course of purely personal or household activities.
In this judgment, the Court states first of all that the term ‘personal data’ as used in the Directive encompasses any information relating to an identified or identifiable natural person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to one or more factors specific to his physical identity. Consequently, the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned.
Similarly, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.
Secondly, the Court finds that the exception provided for in the directive in the case of data processing carried out by a natural person in the course of purely personal or household activities must be narrowly construed. Accordingly, video surveillance which covers a public space and which is accordingly directed outwards from the private setting of the person processing the data cannot be regarded as an activity which is a ‘purely personal or household activity’.
In applying the Directive, the national court must, at the same time, bear in mind the fact that that directive makes it possible to take into account the legitimate interest of the person who has engaged in the processing of personal data (‘the controller’) in protecting the property, health and life of his family and himself.
Specifically, firstly, one of the situations in which personal data processing is permissible without the consent of the data subject is where it is necessary for the purposes of the legitimate interests pursued by the controller. Secondly, the data subject need not be told of the processing of his data where the provision of such information proves impossible or would involve a disproportionate effort. Thirdly, Member States may restrict the scope of the obligations and rights provided for under the Directive if such a restriction is necessary to safeguard the prevention, investigation, detection and prosecution of criminal offences, or the protection of the rights and freedoms of others.