Couple can’t store data from camera pointed at next door’s garden
A judge in a Scottish court has just taken a privacy ruling from cyberspace and applied it to the real world as he fined a couple for videoing their neighbours through a webcam ostensibly set to monitor his back garden.
The same judgment arguably also transfers the obligations of a corporation to the individual, classifying the man doing the filming as a data controller.
The case was brought against Edinburgh’s Nahid Akram, who with her husband Sohail installed a set of cameras after applying to change the use of their house to a bail hostel. The application had been opposed by neighbours Debbie and Tony Woolley and according to press reports, relations between the families soured after that point.
The sheriff in the court agreed in the judgment that the Akrams – specifically Nahid, named in the case – had deliberately trained their cameras and microphones on the Woolleys’ home, compromising their privacy. They felt unable to go out and converse in their own back garden and their daughter felt unable to sunbathe because it would be filmed and the footage retained for up to five days.
The judge ruled against the Akrams, awarding £17,000 compensation to the Woolleys, in a move that is noteworthy on a number of grounds.
First, the judgment refers back to a case brought against Google for continuing to track Safari users when they had logged out of Google.
Second, reassuringly, it establishes absolutely that there is more to privacy than the financial implications; outside the legal costs, the Woolleys technically didn’t pay anything for this.
Third, and this is a key point, the Akrams claimed they weren’t actually keeping the recordings because the system kept it for five days only by default. This was comprehensively thrown out, so you could assume the “couldn’t be bothered with the settings” defence is from this point onward a non-starter.
Finally, as well as transferring the implications of the Google ruling into the “real” world, if that’s genuinely a distinction, we note it takes the effect from the corporate world and into the domestic arena.
Akram in effect became fully liable as a data controller and needed to implement all the due diligence that would have been needed in the corporate world once she’d done so.
Although this is a Scottish-only judgment for the moment, it should send clear messages out to everyone using a recording device of some sort and assuming they’re probably covered because they’re such small fry.
Article source: Naked Security – Sophos