The announcement that Google’s smart homewares firm Nest has developed a motion-activated web cam for home security purposes sounds like a neat idea for those householders about to leave on holiday, or want to know what the au pair is doing in their bedroom when they are out at work.
However, householders using the Nest Cam technology in the European Union (EU) need to be aware that any images they capture of people are regarded under 95/46/EC as personal data, and as such, those that capture the images need to register with their country’s Data Protection Authority (DPA) that they are storing personal information, and potentially in order to comply with the registration, put up signs warning people in the house that they may be subject to recording of their activities.
The new device comes from developments following the acquisition of Dropcam by Nest in 2014 (which itself had only recently been acquired by Google). Motion-activated, it streams and then records live video to Google’s servers. It then ‘alerts’ those customers and then gives them access to the recordings for 10 or 30 days, for a ‘nominal’ amount of £8 or £24 per month respectively. So that’s the technology bit.
Now the legal aspect. Under the EU Directive 95/46/EU images of people, are personal data, and as such should only be managed by a Data Custodian who can ask a Data Provider to store it on their behalf, although the Data Custodian retains ultimate responsibility for the storage, access and even loss or breach of the data.
Now the fun bit, and why we need the forthcoming EU Data Protection Regulation (#EUdataP, #gdpr) without it being watered down over the next months.
Data Protection today (UK focused)
The Data Custodian is the person/organisation capturing the personal data, so the householder, and therefore Google (with the majority of it’s servers in the US), will be the Data Provider. But with a Nest Cam, it could potentially be argued that Google via Nest is the Data Custodian, but that misses the real issue of 'informed consent' for the data to be stored.
In either circumstance, under 95/46/EU personal data captured in the EU can only be ‘exported’ outside the European Economic Area (EEA) with the explicit consent of the data subject, easy when you fill in the bank loan application, but how do you get the ‘ne’er do well’ who is taking your iPad and jewelry from your bedroom to consent that their image can be stored by a hosting provider in US?
Simple fact, you need to alert them to the fact they are being recorded. Thus a sign such as we see in many ‘public places’ in the UK, stating that images are subject to recording, and who the is Data Custodian, is probably going to be required in houses installing a Nest Cam. Furthermore, taken to the limit of the UK law, the householder needs to register with the UK Information Commissioner’s Office (ICO) – other EU countries have their own DPA - as a Data Custodian. The reason being if you are not the Data Custodian (in the UK), and you present evidence gathered without the data subject’s consent, that may be inadmissible in court.
Do you really want a Nest Cam? Of course you do, it will be fun when the smallest child says that the dog has eaten the cheese in the fridge. But please ensure you have registered yourself as a Data Controller with the ICO.