"Detect movement when someone enters your property. Receive notifications on your phone, tablet or PC. See, hear and speak to visitors in real time, wherever you are."(1) So says Ring, one of the most popular brands in the security world. This is music to the ears of many consumers. After all, who doesn't want to know what is going on around their home and who is entering their property? Besides, it is also just convenient to be able to remotely tell the mail carrier that the package can be put in the garden. But are consumers aware of the legal aspects that the gadget brings?
author: Merel Geurts
We often read that there must be a good reason to hang a video camera or that it should only be done when necessary, but what is meant by this and what is the role of the consumer? On top of that, the user himself also creates privacy risks. We haven't forgotten news stories like "Ring smart doorbell app is full of trackers that send personal data to advertisers"(2) and "Four Ring employees fired for abusing user videos"(3), have we? So there are two sides to the popular gadget.
By installing and using the digital video doorbell, consumers may have to comply with the General Data Protection Regulation (GDPR), known as the Privacy Act. The buyer may think that he or she is not subject to this because the doorbell is just for private use, right? However, if the digital video doorbell is filming part of a public area, all obligations under the AVG must be met. To avoid this, the consumer must set the range of the video doorbell so that only their own property is filmed. When a residential area is involved, this becomes difficult. The doorbell then quickly films a part of the sidewalk or street and in that case the digital video doorbell does fall under the AVG. In addition, the data may not be shared on the Internet. Although the Ring app has a standard function to share the images via WhatsApp or Facebook, it is strongly advised not to do so. If the user does do this, the processing does not fall under private use and even then the following obligations must be met.(4)
Before the consumer starts using the digital video doorbell, the purpose of the processing should be recorded in writing. This purpose may be to protect property and premises. The processing of personal data for this purpose must be based on a legal basis. There are several bases in the law, but for video cameras, consent of the data subject or the pursuit of a legitimate interest is commonly used. Proving consent is difficult to prove given the nature of video doorbells, which also film unknown persons. It is therefore recommended that the processing be based on the "legitimate interest" basis.(5) But what exactly does this entail and what should the consumer do?
First, the consumer must have a legitimate interest. It has been determined that the protection of property is a legitimate interest, but this interest must be current.(6) This means that there must be a situation of emergency before the digital video doorbell may be hung. This could include a previous burglary or living in a neighborhood where there are many residential burglaries.
In addition, consumers should always ask themselves whether the video doorbell is appropriate to achieve the goal and whether there is not a less intrusive measure; for example, security locks can also be used to prevent burglary. This measure, unlike the video doorbell, does not invade the privacy of visitors or passersby. Consumers should make this consideration up front. In principle, necessity ends at the property boundary, but since filming part of the public space is unavoidable in many cases, technical measures should be taken to limit this.(7) As discussed earlier, the motion detector of the doorbell is customizable. This allows the consumer to determine exactly what is necessary for the purpose and disable the non-necessary portions. The consumer also ascertain what type of use is necessary. Ring's doorbell can be used both with and without a subscription. Without a subscription, the consumer has a doorbell that only captures live images, but with a subscription, the images are also retained and stored.(8) When only burglary prevention is the purpose, it has been determined that real-time monitoring is sufficient.(9) When the subscription does require the purpose, the consumer must consider storage restriction. It is important that content not be stored longer than necessary for the purpose. If the purpose is to protect property, damage can often be established in 72 hours. This means that keeping longer would violate the AVG. If the content is kept longer, the consumer must be able to prove that it was necessary.(10)
Finally, the consumer should always weigh the interests of the individuals he or she is filming by considering the impact on the individuals involved and the severity of the invasion of their privacy. The consumer should then prevent or mitigate these consequences by considering the above points.(11)
Once all the above conditions are met, the consumer must also fulfill the following obligations:
Duty to inform
Consumers have a duty to notify individuals that they are being filmed by the digital video doorbell. How? The consumer can use a warning sign for this purpose. This sign must be placed so that persons are aware of the video doorbell before entering the filmed area. Thus, it is best to attach the sign at the beginning of the monitored area, such as on a gate. The warning sign should include key information, including the identity of the consumer, the purpose of the processing and the rights of data subjects, as well as whether the recordings will be retained or shared. The warning sign should refer to, for example, a link or a phone number, where individuals can find more information.(12) The warning sticker that Ring includes does not meet this requirement. Consumers should use a different sign or supplement the sticker with this information.
Security obligation
The consumer is also obliged to take measures to secure the data collected.(13) This should be done in advance. This is where the motion detector comes into play again; it must be set as privacy-friendly as possible. This means that the consumer sets the detector to the minimum distance of two meters and turns off the areas where the public area can be seen in the motion field of the doorbell. Next, every effort should be made to secure the data collected as best as possible:
Setting up two-factor authentication in the Ring app;
Setting and periodically changing a strong and unique password;
Not sharing personal data with third parties;
Update and password protect the device linked to Ring.(14)
Register obligation
Finally, the consumer is obliged to keep a processing register, as he or she must be able to hand over an overview of the processing when requested by the Autoriteit Persoonsgegevens (AP). This summary must contain key information, including, for example, the consumer's contact information and the purpose of the processing.(15) To make it easy for consumers, a sample processing register has been prepared.(16)
Using the digital doorbell responsibly is not for nothing. The AP can impose measures. These may include a processing ban that prohibits the consumer from using the video doorbell, as well as a fine. Persons he or she films can additionally take action. They can file a complaint with the supervisory authority, which may require the consumer to stop processing and using the video doorbell. The individual can also go to court and seek damages for the infringement of his or her rights.(17)
Of course, none of this is what consumers want and expect when they purchase a digital video doorbell. After all, such a digital gadget is just really convenient and fun, isn't it? If the steps in this article are followed and the digital video doorbell is handled responsibly, the gadget will remain so. Again, these steps do not apply when the doorbell is only used for private purposes and the public space is not filmed. In that case, consumers do face the following other privacy risks.
Using Ring's digital video doorbell also poses risks to consumer data. The terms of service and privacy statement show that Ring does more with this data than you might think. Among other things, Ring may access and use user recordings, resell or share retained data, and transfer this data to other countries.(18)
Furthermore, investigations have shown that Ring is not or not fully compliant with the AVG in certain respects. For example, we do not know what data is being processed for what purposes. It seems as if the data gets piled up and Ring can use all the data for any purpose. So we cannot call this very transparent. Of course, Ring also needs a legal basis to process consumer data. Partly due to lack of information, no legal basis has been found for a number of purposes. It is also impossible to find out how long the data is stored; unclear or even no storage periods are given. Finally, there is plenty to say about Ring's security. As described at the beginning of this article, there have been situations where Ring has not provided sufficient protection. New security measures have since been introduced, but even there much responsibility is placed on the consumer. For example, consumers should disable personalized ads, in which the brand shares the consumer's data, themselves in the Ring app. Furthermore, it is strongly advised to protect the data by taking the measures described in the security requirement. If the consumer does this, he or she can largely ensure the protection of the retained data and use the gadget responsibly.
Merel Geurts wrote this article at the request of the Law and Digital Technology Lectorate of the Avans & Fontys College of Law, following a study on Ring's "smart doorbell.
(1) Doorbells, nl-nl.ring.com.
(2) Smart Ring doorbell secretly sends data to advertisers, January 28, 2020, rtlnieuws.nl.
(3) Four Ring employees fired for abusing user videos, January 9, 2020, nu.nl.
(4) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 7-8.
(5) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 14.
(6) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, pp. 9-10.
(7) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 11.
(8) Protect plans, nl-nl.ring.com.
(9) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 11.
(10) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 28.
(11) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 11.
(12) The European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, January 29, 2020, edpb.europa.eu, p. 26- 27.
(13) Article 25 and Article 32 AVG.
(14) Additional layers of security and control, February 24, 2020, nl-nl.ring.com.
(15) B. W. Schermer, D. Hagenauw, N. Falot, Handbook on General Data Protection Regulation and Implementation Act on General Data Protection Regulation, January 22, 2018, authoritypersoonsgegevens.nl, p. 52.
(16) Sample register
(17) B. W. Schermer, D. Hagenauw, N. Falot, Handbook on General Data Protection Regulation and Implementation Act on General Data Protection Regulation, January 22, 2018, authoritypersoonsgegevens.nl, p. 90-92.
(18) Terms of Service and Privacy Statement.
