Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
on an analysis of their browsing history. (ii) Taking
those two elements together, the BGI enables the
defendant to single out users because it tells the
defendant (a) the unique ISP address of the device the
user is using ie a virtual postal address; (b) what
websites the user is visiting; (c) when the user is visiting
them; (d) and, if geo-location is possible, the location of
the user when they are visiting the website; (e) the
browser’s complete browsing history; (f) when the user
is online undertaking browser activities. The defendant
therefore not only knows the user’s (virtual) address; it
knows when the user is at his or her (virtual) home.”
(emphasis added)
Thus, the court concluded that it was arguable that the BGI on its own was
sufficient to identify the claimants for the purposes of the personal data
definition. There was no conclusive determination of that issue in those
proceedings as the claims were compromised.
121.
The decision of the CJEU in Rynes v Urad [2015] 1 WLR 2607 is also relevant
on this point. The question referred to the court in that case was whether,
when a householder put up a surveillance camera to protect his property, and
the camera recorded the entrance to his home, part of a public footpath, and the
entrance to the house opposite, that entailed “processing of personal data … by
a natural person in the course of a purely personal or household activity” and
therefore was data processing outside the scope of the 1995 Directive. In the
course of deciding that issue the court clearly took the view, as a necessary
part of its reasoning, that the surveillance camera images comprised personal
data.
“21.
The term “personal data” as used in that provision
covers, according to the definition under article 2(a) of
Directive 95/46, “any information relating to an identified or
identifiable natural person”, an identifiable person being “one
who can be identified, directly or indirectly, in particular by
reference … to one or more factors specific to his physical …
identity”.
22.
Accordingly, the image of a person recorded by a
camera constitutes personal data within the meaning of article
2(a) of Directive 95/46 in as much as it makes it possible to
identify the person concerned.
23.
As regards the “processing of personal data”, it should
be noted that article 2(b) of Directive 95/46 defines this as
“any operation or set of operations which is performed on
personal data … such as collection, recording … storage”.
24.
As can be seen, in particular, from recitals (15) and
(16) to Directive 95/46, video surveillance falls, in principle,