With apologies to Rockwell.
Over on LinkedIn there’s been a conversation around the legalities of recording phone calls and it’s all got a bit convoluted with people talking about video doorbells and all sorts. I don’t profess to being an expert on everything but I can share what I know.
Let’s deal with traditional tech first. With my (crap) amateur photographer’s hat on: it is perfectly lawful to take photographs of people in public, you don’t need their permission (though of course it’s polite to ask). If you intend to profit from the images then it’s sensible to get written consent from the model – a ‘model release form’ – but there’s no UK legal requirement for this, it just might make it easier to sell especially if your market is overseas.
There are exceptions to this though. You can’t photograph people where it would be reasonable for someone to expect privacy (such as through their living room window)…
…and some areas are explicitly verboten (such as railway platforms, thanks to the Terrorism Act 2000, the first of MANY bits of legalese we’re about to shallow-dive into). Private land is slightly odd in that a landowner can ask you to leave, and you’re potentially trespassing if you refuse, but you can continue to take photos of that land so long as you’re no longer on it!
With my former Tech Support hat on: for recording phone calls there is a lot of legislation here. Under the Regulation of Investigatory Powers Act 2000 (RIPA) it is perfectly legal for individuals to record calls for their personal use and they don’t need to notify the other party. However, they cannot share those recordings without consent from all parties on the call otherwise we’re rapidly heading into breach of UK GDPR territory. I think this embargo can be overruled in court?
A business recording a call mostly falls under the Data Protection Act 2018 (DPA) – GDPR pertains to an individual’s data, though remember an employee is also an individual – and loosely speaking this means that they have to explain what they’re doing with it in order to obtain consent. This is why you get the “please note, your call may be recorded for training or monitoring purposes” when calling many businesses, it’s a simple way of arse-covering. They can record without requiring explicit consent because of yet more legislation, the Telecommunications Regulations 2001, but there are very specific situations where this consent isn’t required such as in the suspicion/investigation of criminal activity.
Which brings us to video doorbells.
As far as I can gather, all the preamble above is largely copied across wholesale to encompass emerging technologies. Whilst legislation does get amended, some of this stuff goes back many years (the Interception of Communications Act which deals with things like call tapping is from 1985) and a tenet of English Law is “what did we do last time?”
A good deal of what’s changed here is just common sense. If you point a video camera at the bedroom window of your attractive neighbour across the street, you’re likely on sticky ground (in more ways than one). Some doorbell cameras have privacy settings where you can occlude areas being recorded. If you’re only recording your own property then you’re probably good – which is fine if you’re monitoring your driveway, less useful if your front door opens directly onto the street because you might find that you’re suddenly a Data Controller under UK GDPR. If you’re recording audio then it may be difficult to avoid accidentally recording conversations from passers-by so maybe consider putting up a sign warning people that video/audio recording is in use.
TL;DR – don’t be daft. There has been at least one prosecution for this (google Fairhurst v Woodard) but it was a pretty extreme invasion of privacy.
Remember from earlier “sharing with a third party”? This is fun. My Ring doorbell footage gets uploaded to a cloud service (AWS). Is Ring a third party in this context? Is Amazon? Can Ring staff view my footage or is it encrypted? Newer versions of Ring hardware and its app support End-To-End Encryption (E2EE), to which the answer would be an emphatic “no,” but E2EE is opt-in and disabled by default because you lose a ton of features in the process. Without E2EE, footage is still encrypted ‘in flight’ and ‘in storage’ which is probably good enough for most personal privacy concerns but that’s not really what the crux of the matter is here.
What if I process the recordings through an A.I. service, is that considered transferring data to a third party? Is that considered ‘sharing’ at all? What about using the A.I. functionality that Ring themselves released a couple of months ago? UK GDPR applies here but it is this considered reasonable processing? Legitimate Interest? Or does it have the potential to get messy fast?
This is not legal advice, I don’t have the answers, I am not a lawyer. It’s just food for thought and I expect it’ll take a few “landmark cases” to pin down. But I’d be interested to hear others’ take, this is pretty uncharted territory.
Don’t ask me about drones.
[Disclaimer: I use the term “English Law” deliberately because that’s where I live. Other territories have other legal considerations.]