Technology has always presented challenges for the courts and for lawmakers. The smart doorbell is only one such example.
How do you interpret existing laws in the light of new and evolving technological developments? Are there gaps that require new laws to fill? Could there be unexpected or dangerous uses that need regulation?
These questions arise whenever a new technology is rapidly adopted at scale. One example is the rise in surveillance technology. CCTV was first used in the UK in the 1960s and its use grew quickly in the 1980s and 90s. But traditional CCTV was expensive to buy and run, so use was generally confined to public authorities and larger businesses.
That’s all changed in the past twenty years. Surveillance cameras and similar equipment have become significantly cheaper, making it an affordable purchase for many households.
The leading brand is ‘Ring’, owned by Amazon, with its smart doorbells and cameras selling for under £100. There may be as many as 3 million of these devices in the UK already, and this number is only likely to rise.
Application of data protection law
Data protection law exists to provide a framework for processing ‘personal data’ – that is, information that relates to identifiable individuals. Images of identifiable individuals captured by surveillance cameras are personal data, so data protection law applies.
There is an important exception to this rule. The legislation does not apply where the processing of personal data is “by an individual in the course of a purely personal or household activity”.
So what about domestic surveillance cameras? Are the images captured by your Ring doorbell covered by data protection law?
The answer to these questions is surprisingly complicated.
Purely personal or household activity
The leading case remains Ryneš v Úřad, decided in 2014, and relating to events that took place in 2007. Given the pace of technological change, this is ancient history, as this passage from the European Court of Justice’s judgment clearly demonstrates:
“[The defendant] installed and used a camera system located under the eaves of his family home. The camera was installed in a fixed position and could not turn … The system allowed only a visual recording, which was stored on recording equipment in the form of a continuous loop, that is to say, on a hard disk drive. As soon as it reached full capacity, the device would record over the existing recording, erasing the old material. No monitor was installed on the recording equipment, so the images could not be studied in real time.”
So, no motion sensors, no audio recording, no instant app notifications, no two-way communication and no cloud storage.
The defendant had installed the camera to protect his property and his family. His house had been subjected to vandalism and windows had been broken on several occasions.
After the camera was installed, his house was attacked again and windows were broken by a shot from a catapult. The camera allowed two suspects to be identified. The recordings were handed to the police and the suspects brought to trial.
One of the suspects then complained to the Czech data protection authority, which ruled that the defendant’s surveillance system was unlawful. He had not complied with obligations set out in Czech data protection law, which implemented an EU directive. The defendant disputed this, arguing that his processing of personal data was a ‘purely personal or household activity’, and the case was referred to the European Court of Justice.
The key issue for the court was the position of the camera. It recorded the entrance to the house, the public footpath and the entrance to another house opposite.
The court ruled that (my emphasis):
“To the extent that video surveillance … covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity …”.
The images from the defendant’s camera were therefore subject to data protection law.
The current position
Although the EU directive in question has long since been replaced and the UK has left the EU, our data protection law contains identical wording, so this case remains an important precedent.
The Information Commissioner’s Office, as the regulator for data protection law in the UK, has published guidance for households on home CCTV systems. The ICO follows the case law in stating that people who capture images or audio recordings from outside their property boundary must comply with data protection law. And this principle has been upheld by the courts in more recent cases in the UK.
But is that really still appropriate?
There are tens of thousands of homes in the UK with doorways opening directly onto the street. Is it right that their occupiers must take steps to comply with data protection law if they install a smart doorbell, whereas householders with a long enough driveway are exempt? And what does that mean for the increasing number of us who use these systems as part of our daily lives?
Is the law still fit for purpose?
The Ryneš case was decided at a time when domestic CCTV systems were unusual, and the camera in question was deliberately positioned to detect behaviour taking place outside the boundaries of the property.
Fast forward to 2026 and smart doorbells are now a part of everyday life. Most users are simply using them to identify and communicate with callers to their home. Using a smart doorbell camera in this way feels very much like a purely personal or household activity.
Of course, modern surveillance technology is sophisticated enough to be used maliciously to spy on neighbours or target people in public spaces. That is exactly where data protection law, and indeed other laws including harassment, should apply.
But individuals should not be subject to data protection law simply by virtue of the (potential) incidental capture of images of passers-by, based on a test developed by the courts over a decade ago in different circumstances and relating to very different technology. Instead, the deciding factor should be how and why surveillance cameras are used.
Potential consequences
Whilst most users won’t think about data protection law when they install their smart doorbell, the potential consequences can be serious.
Data protection law is complex and contains multiple obligations on those who process personal data. Like the unfortunate Mr Ryneš back in 2007, individuals may struggle to comply with all the obligations imposed upon them, and could face legal consequences if they get it wrong.
You can minimise these risks by ensuring any devices which record information beyond the boundary of your property are set up to only capture the information needed. That means carefully positioning the cameras and adjusting their settings. And audio recording is generally seen as more intrusive than video, so this should be kept to a minimum.
But until the courts revisit this issue, your smart doorbell may be increasing your legal risks in unexpected and unforeseen ways.
