General News

Amazon Ring and Facebook fines

Judge rules that Amazon Ring doorbells breach GDPR:

A judge in Oxford County Court has ruled that audio recordings from an Amazon Ring doorbell have breached data protection laws. The case involved an individual taking their neighbour to court, stating that the numerous recordings they had from their various cameras they had set up outside their house amounted to harassment and a breach of the Data Protection Act 2018.

The judge has ruled that whilst the video that the cameras capture is suitable for legitimate purposes (in this case crime prevention), the audio that they capture greatly exceeds the scope of the video, and the cameras can achieve the purpose of crime prevention without the audio. The judge is quoted as saying:

“I am satisfied that the extent of range to which these devices can capture audio is well beyond the range of video that they capture, and in my view cannot be said to be reasonable for the purpose for which the devices are used by the Defendant, since the legitimate aim for which they are said to be used, namely crime prevention, could surely be achieved by something less.”

As part of the case, there’s a quote from a Ring spokesperson, who has offered guidance on how you can use your Ring doorbells, as well as other security cameras you may use in accordance with the relevant data protection legislation, where they have said:

"We strongly encourage our customers to respect their neighbours' privacy and comply with any applicable laws when using their Ring device. We’ve put features in place across all our devices to ensure privacy, security, and user control remain front and centre – including customisable Privacy Zones to block out 'off-limit' areas, Motion Zones to control the areas customers want their Ring device to detect motion and Audio Toggle to turn audio on and off."

It appears that the main thing to do is to show that you’re using Ring doorbells for their intended purpose and have limited the amount to which you are videoing/ retrieving audio from your neighbours’ space. In addition to this, the ruling from the judge in this case doesn’t set a precedent as it happened in a lower court, and only the High Court and Court of Appeals set precedent. The ruling may however be cited in cases going forward to form part of an argument.

Amazon Challenges Record Fine


In July, CNPD, Luxembourg’s data protection legislator (where Amazon have their EU base) issued Amazon with a fine totaling 746 million euros for breaching GDPR. Recently, Amazon has appealed this fine stating that they haven’t breached any GDPR laws or misused user’s personal data

Amazon has frequently been criticised for the levels of data they collect on independent retailers who sell on their website, customers and Alexa users. The data Amazon collects is then used to inform them on what products and ads they show each user, with the aim of course being to get users to spend more. Since the original ruling in July, Amazon has continually stated that from their point of view there has been “no data breach, and no customer data has been exposed to any third party.” They have also stated that they strongly disagree with Luxembourg's findings, which must come as a shock to you I’m sure. 

Amazon have stated that the data they collect from various sources is only used to improve the user’s experience, and there are rules and restrictions put in place to ensure that employees don’t mistreat the personal data that they have access to. The rebuttal that authorities have posed to this is that Amazon use the great amount of data they collect to give themselves an advantage over others in the marketplace.

It’s not clear yet how successful Amazon will be with their appeal, however the appeal comes at a time when other EU authorities are assessing Amazon’s operations and whether they breach data protection laws. The EU is currently looking into whether Amazon uses data from sellers on their website in order to favour their own products, and Germany and the UK are also looking into Amazon’s sales and whether they are misusing the data they are collecting. 


Ireland’s Facebook decision triggers arguments over limits of GDPR

Ireland’s Data Protection Commission have stated that they plan to fine Facebook between €28 million and €36 million over a lack of transparency on how they use users’ data. There has been some push back to this decision however from privacy campaigners, as they say it gives Facebook too much leeway to collect data on people without their consent.

27 watchdogs from EU countries are expected to weigh in on Ireland’s draft decision, and an unnamed official has been quoted as saying that if the decision is upheld, it would “entail the end of data protection as we know it.” The main worry is that the decision allows Facebook, and therefore other organisations to circumvent data protection laws and mean that data can be collected without users’ consent.

The way Facebook has done this is by claiming that they collect personal data as part of a contract with users. By doing so, Facebook is relying on a clause in GDPR- ‘relying on a contract.’ By doing so, they can get around the need for explicit consent from users to collect their personal data. As part of their argument, Facebook has also argued that users know this when they sign up, and are aware that Facebook relies on personal data for its business model to deliver personalised ads.

The DPC has stated that whilst they do not dispute this argument, they lack the authority to judge whether the agreement is fair on users, and that a consumer authority is better placed to make a judgment on that. The disagreement on whether the contract between users and Facebook being fair or not forms part of an ongoing spat on just how much GDPR should go towards regulating data. For example Germany’s decision in the past which aimed to stop Facebook’s data practices has received some pushback, as it has been argued that authorities are using GDPR to enforce competition rules, which it has been argued goes outside the authority’s remit. 

EU privacy regulators currently have one month in which to weigh in on Ireland’s decision, so it'll be interesting to see the outcome of the appeal, and definitely one to keep an eye on! More details on this can be found here.