Fairhurst v Woodard: 6 things to think about when installing CCTV outside your property

The use of CCTV and other security devices is a common way for individuals, businesses and public bodies to increase the safety and security of their property and their people. The visual and audio technology underlying these systems has become increasingly complex and sophisticated in recent years, as have the methods for gathering, analysing, storing and sharing the digital data collected. Surveillance technology is no longer a passive tool for recording images, but is now a proactive system that can be linked to AI and used for a number of activities from identifying people of interest to the police through to recording shoppers' responses to marketing activities. We have previously written about live facial recognition technology here. The use of surveillance cameras in this way has aroused public concern which has led to a strengthening of the regulatory landscape.

The parties in this case are neighbours who both have access to a shared driveway leading into a large private parking area containing a number of spaces used by local residents. Both of their properties back onto this car park. Dr Fairhurst became aware that Mr Woodard had installed a floodlight and sensor, and a video and audio surveillance camera with an integrated motion sensitive spotlight, both pointing in the direction of the car park. He had also installed a combined doorbell and video and audio surveillance system by his front door, a security camera in his windowsill which both pointed at the street, and a second spotlight camera attached to another neighbour's wall pointing down the driveway towards the car park.

Dr Fairhurst's case is that Mr Woodard was not honest with her about these devices, unnecessarily and unjustifiably invaded her privacy by their use and intimidated her when challenged about them. She argued that this amounted to a nuisance, a breach of UK data protection law and a course of conduct designed to harass her contrary to the Protection from Harassment Act 1997. She sought damages, and injunctive relief mandating the removal of the devices and forbidding the installation of further surveillance cameras. Mr Woodard denied her claims.

The judge found that Mr Woodard caused Dr Fairhurst alarm and distress, by his dishonesty and threatening behaviour, including a threat to set up more concealed cameras and his assertion that two of the cameras were non-operational dummies (when they were in fact active). She found that this behaviour amounted to harassment under the Protection from Harassment Act 1997, entitling Dr Fairhurst to damages for distress.

The nuisance claim failed. Part of that case relied on loss of privacy, the main authority for which is the Court of Appeal decision in Fearn and Ors v Board of Trustees of the Tate Gallery [2020] EWCA Civ 104 in which the court held that mere overlooking from one property to another is not capable of giving rise to a cause of action in private nuisance. The claim for light nuisance failed on the basis that the houses were in the town, where night-time lights are a feature, as opposed to the countryside where it would be less appropriate.

The parties agreed that the images and audio files collected by Mr Woodard were personal data within the meaning of UK data protection law. Their transmission to his phone, computer or other device, and their retention and onward transmission to others (whether neighbours, the police, or the cloud for storage) constituted processing of personal data. This meant that Mr Woodard was a data controller and accordingly must comply with the principles set out in UK data protection law (see textbox below).

Lawfulness and transparency

Importantly, the judge acknowledged that Mr Woodard had a legitimate interest in using the cameras to prevent crime. However, as regards transparency, the judge found that Mr Woodard tried actively to mislead Dr Fairhurst about how and whether the cameras operated and what information they captured.

Necessity/proportionality

The fact that he collected data outside the boundaries of his property meant that the onus was on him to satisfy the Court that such processing of data was "necessary" for the purposes of his legitimate interests. He argued that, having been scared by the attempted theft of his cars, his use of security cameras was reasonable. The judge decided that:

• the processing of data from the front doorbell did find the right balance between the parties' interests because any video personal data was likely to be collected only incidentally as Dr Fairhurst walked past, and his legitimate interest in protecting his home was not overridden by her right to avoid such incidental collection on a public street, even if it was near to her home.
• the camera which was trained on Dr Fairhurst's property was not necessary for the purposes of his legitimate interests as it was not focused on his land or cars. These could have been protected in a less intrusive way, for instance by a camera with a close focus on only the cars in his parking spaces. His argument that this sort of camera would be prohibitively expensive was unsuccessful.
• the audio personal data collected by the devices was held to be unreasonable for crime prevention purposes. A great deal of the required purpose could have been achieved without audio at all, or only picking up sound within the immediate vicinity of the device. The extent of the microphone range meant that personal data could have been captured from people who were unaware that they were being recorded, and their identities could have been revealed from the data itself, from what they said or even by their voices and they could certainly be identified with both the audio and video data used together.

Outcome

The court therefore found that Mr Woodard had breached the provisions of UK data protection law, and that Dr Fairhurst was entitled to compensation and orders preventing him from continuing to breach her rights in the same or a similar manner in the future. However, before making any decision, the judge asked for further submissions from the parties in relation to both the data protection and harassment claims – so it is not yet clear exactly what remedies Dr Fairhurst will be granted.

The ICO has issued a code of practice here for organisations that use CCTV, automatic number plate recognition technology, body-worn video, drones and other systems that capture information of identifiable individuals.  All entities using these systems should satisfy themselves that they have complied with its requirements.  Here is a summary of its 6 key points: