When Halloween arrives we start to think about how data protection laws protect trick or treaters who visit our doorsteps and how technologies, like CCTV and smart doorbells can be used in compliance with data protection regulations.
Apart from the ghosts and people celebrating on the streets during this season there might be privacy concerns lurking in the shadows. Nowadays surveillance technology has become surprisingly affordable causing changes in spaces. So without beings around what potential risks to data privacy could be hidden in the darkness?.
As these trick or treaters wander through the streets with their bags of treats, who is watching them and what rules govern the use of these surveillance technologies?
Regarding CCTV systems in the UK they are subject to the General Data Protection Regulation (UK GDPR). However this regulation does not apply to activities that’re purely personal or household”. Carried out by individuals (Article 2(2)(a)). This means that surveillance systems that only capture images within someone’s property boundaries are exempt, from data protection law. Once you step outside the garden gate provided that the cameras are only focused on the garden path it can be a bit risky, for our trick or treaters, during Halloween.
Things get more complicated when the cameras capture images beyond your property boundaries. In cases it is advisable for homeowners to put up warning signs provide copies of recordings if requested delete footage and adjust the cameras position if asked to do so while ensuring property safety.
However when it comes to use the Information Commissioners Office (ICO) takes an approach. They suggest that individuals should try their best to point their CCTV cameras from their neighbors homes and gardens shared spaces or public streets. However they acknowledge that enforcing this can be challenging for individuals and usually only issue a warning to those who violate these guidelines. The ICO also reminds us that individuals have the option of taking action to protect their privacy rights in cases.
When it comes to use of CCTV systems organizations or individuals are not exempted like households. Must comply with UK GDPR regulations.
When discussing ” use ” it’s important to understand that the definition of household and personal use is quite limited and doesn’t exclude activities that we might consider non commercial.
So, when our group of trick or treaters ventures, into an area the person in charge of the CCTV footage needs to follow all the data protection rules. This includes designing the system with data protection principles in mind assessing transparent requirements establishing policies and keeping comprehensive records of their actions and justifications. If there is any high risk processing involved such as monitoring of places or individuals in a workplace the controllers must conduct a data protection impact assessment.
Moreover those who operate CCTV systems are required to pay a fee and register with the ICO (Information Commissioners Office) which may request compliance documentation and evidence at any time – an experience that might unsettle them.
The ICO advises against making investments, in surveillance devices and encourages individuals to choose systems that provide data protection solutions instead of opting for new affordable systems simply because they are available.
Smart Doorbells
Our Halloween squad successfully evaded fixed cameras in a parking lot. Made it to the doorstep.
This particular house like others designed to make use of the Internet of Things (IoT) has a doorbell that records any activity happening around it. It functions similarly to closed circuit television (CCTV) cameras and when it captures footage beyond the property boundaries it becomes subject, to data protection laws. In theory trick or treaters also have the right to avoid being recorded by homeowners while they are on the street. Enforcing this right might prove challenging in reality.
It’s important to note that these regulations specifically apply to fixed camera systems. Drones, dashcams and personal mobile phones used for commercial purposes are generally exempt from data protection laws. As a result, homeowners are free to take pictures of the costumes on display during festivities.
However, individuals who answer the door should also consider who else might have access to the recordings made by their doorbell. In May 2023 Amazon faced a $5.8 million fine from the US Federal Trade Commission due to access of camera footage from similar doorbell type systems. Ring is now required to discontinue practices and their European terms and conditions ensure compliance with the GDPR regulations. Nevertheless, these concerns may raise doubts, for some users about adopting this technology.
This serves as a reminder, for anyone who is implementing a surveillance system; the images usually undergo processing on third party platforms and the security of the recorded footage depends on the strength of these platforms. It’s crucial to consider where the data is stored and how requests for access to the footage whether from individuals captured on camera or authorities will be handled.
What lies ahead?
Another unsettling possibility for Halloween enthusiasts is the combination of technology with recognition and classification systems. The regulation of technologies currently struggles to keep up with potential applications making it challenging to predict future outcomes. The ICO recently completed a consultation on Phase 1 of its guidance regarding biometrics.
As facial recognition techniques gait analysis and other movement analysis methods rapidly progress privacy conscious individuals may soon opt to venture out after dark while wearing gloves and masks adopting walks – not just limited to Halloween. Are you, in business? Beware of Earn Out Provisions!