In December 2016, the Montenegrin Personal Data Protection Agency (“Agency”) conducted an inspection related to video surveillance in a tavern in the city of Kotor. The Agency made a formal finding that a majority of cameras – both inside and outside the tavern – were positioned in a way that results in excessive data processing. The owner of the tavern complained about the finding, and in February 2017 the Agency issued a decision rejecting the complaint on substantive grounds. Even in relation to the two cameras which were out of function the Agency found a violation of the privacy law, because the cameras created an impression that video surveillance was being conducted and, consequently, a feeling of insecurity among visitors and pedestrians.
In the case, there were no less than 15 cameras covering the space both inside and outside the tavern. During the on-site inspection, the Agency established that 11 cameras processed the data in a disproportionate manner, in contravention of several provisions of the Montenegrin Personal Data Protection Act (“DP Act”).
The processing was contrary to the principle of proportionality. The data may be processed only in the amount and in the manner necessary to achieve the purpose of the processing. The DP Act stipulates that an entity may implement video surveillance to provide for the security of persons and property and to control who enters or leaves official or business premises. The video surveillance is also permissible when, due to the nature of the business, there is a possible risk to the employees.
These purposes may seem broad enough to justify the installation of cameras in the tavern, but another provision in the DP Act narrows the boundaries of permissible video surveillance. According to Article 36, para. 2, the video surveillance is not permitted in the space reserved for the clients and visitors. This means that the owner of the tavern is allowed to record who enters and leaves the premises, but not to record the guests as they sit by the tables inside the tavern. In this regard, the Agency ordered to the owner to remove the cameras which record the guests and to delete the footage already recorded.
On the other hand, the Agency established that the cameras positioned to record the kitchen and the bar may stay. Although not expressly stated in the Agency’s decision, it is reasonable to infer that these cameras do not record the guests and therefore the Agency did not find the use objectionable. The Agency did not examine whether the nonstop recording was excessive vis-à-vis the employees who work in the bar and in the kitchen, i.e. whether the tavern could protect the security of its personnel and property without exposing the personnel to constant recording.
The Agency found that the presence of two cameras which were out of function, both located outside the tavern, was also in violation of the DP Act. One camera was turned toward the main road, and the other toward the tavern’s terrace with the guests. The Agency determined that the presence of the cameras created an appearance of video surveillance and a sense of insecurity.
One may conclude that the Agency has equated the situation when a camera properly functions and thus processes personal data (i.e. records people) with the scenario in which a camera is out of function and does not process any personal data. The Agency apparently considers that in either case, presence of the camera creates a sense of insecurity among the affected individuals.
The Agency’s reasoning may be difficult to square with the European Court of Human Rights’ pronouncement in Perry v The United Kingdom (2003), to the effect that “the monitoring of the actions of an individual in a public place by the use of photographic equipment which does not record the visual data does not, as such, give rise to an interference with the individual’s private life”. The Court referred to an earlier decision of the Commission, in the case Herbecq and Another v. Belgium (1998). In that case, the Commission reasoned that, “given that nothing is recorded, it is difficult to see how the visual data obtained could be made available to the general public or used for purposes other than to keep a watch on places”. If the use of functional cameras which do not record anything is lawful, it is not clear why the mere presence of out-of-function cameras would be infringing.
Perhaps the Agency would be on a more solid ground if it shifted its focus from the argument that people feel insecure when they spot cameras, to the argument that the use lacks an appropriate purpose. If the purpose is legitimate, then it is not crucial whether individuals feel insecure or not, i.e. implementation of video surveillance may be lawful even when individuals have a feeling of unease. If the purpose of video surveillance is to enhance the security of individuals and property, then such purpose may be achieved by recording only the entrance to, and facade of, the premises. Placing cameras so to capture a vast area or individuals engaged in purely private affairs (such as tavern guests chatting around the tables) is likely to amount to disproportionate processing and thus be unlawful.
