With the use of CCTV on the rise, it has become increasingly important for controllers to find a framework in which the conflicting rights of those who are subject to such surveillance are balanced. In its recent decision of TK v Asociaţia de Proprietari bloc M5A-ScaraA EU:C:2019:1064 (TK), the CJEU considered whether the processing carried out by CCTV cameras was necessary and proportionate for the purposes of legitimate interests pursued by the controller.
In this case, CCTV cameras were installed in the common areas of TK’s apartment building in order to deal with security. TK, the owner of one of the apartments, objected and sought to have cameras removed. National law permitted the use of CCTV cameras without the data subject’s consent for specified uses including the prevention and countering of crime and the safety and protection of persons, property and assets. The Romanian court referred a number of questions concerning the national law’s compatibility with the Data Protection Directive (Directive 95/46) (Directive) and provisions of the Charter of Fundamental Rights of the European Union (Charter).
In considering whether the processing carried out by CCTV cameras was necessary, the CJEU pointed out the fact that there was a history of vandalism and burglaries in TK’s apartment building, despite the previous installation of a card-based security system. The CJEU held that “hypothetical” interests would not satisfy the legitimate interests condition as the interest must be proven to be present and effective at the time of processing. According to the CJEU, in this case, the requirement of present and effective interest was satisfied given the instances of theft and vandalism prior to the installation of the CCTV cameras.
The CJEU re-emphasised that the legitimate interests condition requires processing to apply only so far as “strictly necessary”. This means the objective “cannot reasonably be as effectively achieved by other means less restrictive of the fundamental freedoms.” The CJEU then turned to the data minimisation principle and considered whether it was necessary for the CCTV system to run constantly, or only at certain times of the day and night.
In carrying out the fact specific balancing exercise, the CJEU stated that factors such as the nature of the personal data at issue, in particular the potentially sensitive nature of those data, the specific methods of processing involved, the number of persons having access to the data and the methods of accessing the data needs to be considered. In addition to the foregoing factors, the data subject’s reasonable expectations of their data being further processed needs to be balanced against the legitimate interests of the building owners in protecting the property, health and lives of the building’s occupants.
The case demonstrates the need for operators of CCTV to carefully consider how such use can be done in compliance with the General Data Protection Regulation and with the recently issued video devices guidance published by the European Data Protection Board.