Included in this edition of Data & Privacy News: Use of security cameras breached data protection law, EDPB adopts Guidelines on restrictions of data subject rights and more

County Court rules that use of security cameras breached data protection law

In Fairhurst v Woodard (Case No: G00MK161) (12 October 2021), the County Court upheld claims for harassment under the Protection from Harassment Act 1997 (PHA) and breach of the Data Protection Act 2018 (DPA). The claims stem from the defendant's use of security cameras at and around his property, including a ring-combined doorbell and video and audio surveillance system.

The case arose following Mr Woodard (the defendant) installing a series of security devices on his property, consisting of: a floodlight and sensor, together with a video and audio surveillance camera; a combined doorbell and video and audio surveillance system; a Spotlight Camera focused down the driveway; and a "Nest" camera inside the front windowsill.

Following a series of communications between the defendant and Dr Fairhurst (the claimant), the claimant alleged that the defendant had "consistently failed to be open and honest with the Claimant about the Cameras, has unnecessarily and unjustifiably invaded her privacy by his use of the Cameras and has intimidated her when challenged about that use". The claimant claimed that this amounted to: a nuisance; a breach of the DPA; and a course of conduct designed to harass the Claimant contrary to the PHA.

The Claimant sought damages for the harassment and data protection breaches and injunctive relief relating to the removal of the remaining cameras and to prevent the reinstallation of the Driveway Camera. In her judgment, Melissa Clarke J upheld the claimant's claims for harassment under the PHA and breach of the DPA but rejected the claim for nuisance.

As this is a County Court judgment, the case does not create a binding legal authority on higher courts or set a precedent for further rulings. However, as this is thought to be the first case in England and Wales to focus on video doorbells in this manner, it is possible that it may be considered in future County Court judgments. The case should also act as a reminder to individuals and businesses on the importance of considering data protection compliance when using video surveillance systems.

ICO issues warning on bulk email practices after fining Scottish charity

The Information Commissioner's Office (ICO) has published a reminder to organisations on their responsibility to have appropriate technical and organisational measures in place to ensure personal data is secure.

The reminder comes after HIV Scotland was fined £10,000 for contravening Articles 5(1)(f), 32(1) and 32(2) of the UK GDPR. The breach related to an email sent to 105 people that included patient advocates representing people living in Scotland with HIV. The email addresses of the recipients were all visible and 65 of the addresses identified people by name, with the personal data disclosed being enough to make an assumption on an individuals’ HIV status or risk. The ICO investigation into the breach also found that the company was continuing to use blind carbon copy (BCC) methods to send bulk emails seven months later, despite identifying the risk and purchasing a more secure communication method.

ICO part of joint statement on global privacy expectations of VTC companies

The Information Commissioner's Office (ICO) has published a statement regarding a letter sent to multiple video teleconferencing (VTC) companies expressing concerns about whether their privacy safeguards are keeping pace with the rapid increase in use of VTC services brought on by the Coronavirus pandemic.

The letter, from July 2020, provided VTC companies with some guiding principles to address key privacy risks and also invited five of the biggest VTC companies to reply, with Microsoft, Google, Cisco and Zoom all taking the opportunity to detail the how they will integrate their principles in the design and development of their VTC services. Following a review of the responses, the joint signatories further engaged with these companies to better understand the steps they take to implement, monitor, and validate the privacy and security measures put in place.

The ICO were co-signatures of the letter along with the data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China and Switzerland.

European Commission issues joint statement on the EU-Japan mutual adequacy arrangement

The European Commission, EU data protection authorities, the Personal Information Protection Commission of Japan (PPC) and other relevant Japanese authorities have conducted the first review of the EU-Japan mutual adequacy arrangement.

The review on the agreement, that was put in place in 2019, covers all aspects of the functioning of the adequacy decisions and also provides the opportunity to share information and experience on issues of common interest. The European Commission and PPC will conclude the review process by publishing separate reports on the functioning of their respective adequacy decisions.

Norwegian DPA issues multiple fines for GDPR breaches

The Norwegian Data Protection Authority (Norwegian DPA) has issued a series of fines to companies for breach of the General Data Protection Regulation (GDPR):

• Waxing Palace AS: Waxing Palace has been fined €10,000 after a complaint relating to the CCTV monitoring of the reception areas of a salon premises. The Norwegian DPA found that the CCTV monitoring was in breach of the GDPR as the company did not satisfactorily inform visitors or employees of its CCTV monitoring.
• St. Olavs Hospital: St. Olavs Hospital has been fined due to a lack of access management concerning folder areas outside patient records. The Norwegian DPA found that the folders were, in principle, accessible to all authorised users within the Central Norway Regional Health Authority, which constituted a breach of the requirements regarding personal data security in Article 32 cf. article 24 of the GDPR.
• Høylandet Municipal Council: Høylandet Municipal Council has been fined €41,000 after the Norwegian DPA found that it has breached GDPR for fundamental internal deficiencies in its access management. The Norwegian DPA found that image files containing health data about people with no connection to the municipality were accessible to staff at the health clinic.
• Ultra-Technology AS: Ultra-Technology has been fined €12,500 following a complaint by a private individual who had undergone a credit assessment without any form of customer relationship or other connection to the company. The Norwegian DPA ruled that this was in violation of GDRP and, alongside the fine, ordered the company to prepare written routines for credit ratings in accordance with Article 24.

EDPB adopts Guidelines on restrictions of data subject rights

The European Data Protection Board (EDPB) has adopted a final version of the Guidelines on restrictions of data subject rights under Art. 23 GDPR. The guidelines:

• aim to recall the conditions surrounding the use of such restrictions by Member States or the EU legislator in light of the Charter of Fundamental Rights and the GDPR;
• provide details on the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR; and
• analyse how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Art. 23(1) GDPR, and the obligations and rights which may be restricted.

The final version was adopted during the EDPB's October plenary following public consultation.