THERE HAS BEEN a “big rise” in the number of complaints relating to CCTV cameras outside peoples’ homes, the Data Protection Commissioner has said.
Helen Dixon told TheJournal.ie in an interview that domestic CCTV is “an issue that really bothers people”.
“We’ve seen a big rise in complaints from individuals whose neighbours have installed CCTV cameras that are trained beyond the perimeter of the neighbour’s home,” Dixon said.
And of course, that’s not permitted in data protection terms. The cameras should be trained within the perimeter of your own home.
She said if they are trained beyond this, people acquire “the full obligations of a data controller”.
If a CCTV camera is used solely by the people living in the home and doesn’t capture a public space or a neighbour’s property, it isn’t subject to these obligations.
However, if a person publishes their footage online or share it on social media they may be subject to the obligations of a data controller.
Any person or organisation that collects and processes peoples’ personal data is considered a data controller, according to the DPC.
The ‘personal data’ in this instance is a video recording in which people can be identified.
Asked about other common complaints her office has dealt with in recent months, Dixon said there had been a lot of contacts from employees “feeling that they’re being monitored electronically” by their employers.
“Often there are much broader issues in the dispute, but what comes to us is using CCTV in disciplinary processes, introducing turnstile tracking systems and then using the clock-in clock-out information in disciplinary processes and monitoring of employees through electronic means.”
Dixon said the DPC this year wants to “give clearer guidance” on any confusion about what constitutes a breach of data protection law in these instances.
Twitter fine
On 15 December, the DPC imposed a €450,000 fine on Twitter in a landmark ruling over a violation of EU data privacy rules.
The ruling related to an incident publicly disclosed in early 2019 where a security glitch had made some users’ private tweets public, and Twitter failed to send a breach notification to the DPC within 72 hours of its discovery, as is required under GDPR.
It was the first major fine issued by the regulator to a US tech giant for a breach of GDPR.
Dixon said the legal analysis behind this case was “much more significant” than the fine itself.
“I think what will truly deter and guide organisations to not falling into the same issues as Twitter did, is by reading the legal analysis in the decision, just as much as the fine will act as a deterrent.
A lot of people commenting on it appear to have misunderstood that the significance of that Twitter decision is the fine and of course, it’s not particularly.
“The fine is just an end result of the much more significant legal analysis and infringements that are in the decision.”
To embed this post, copy the code below on your site
have your say