🏆 PICCASO Awards Nominee + Growth! DataHub is expanding its Country Reporter Network across Africa. Be part of the story → Apply Here
Free Consultation
Free Consultation
Free Consultation
Your Cart
Loading

Is Your Neighbour Secretly Watching You? What You MUST Know About CCTV in Home

For many residents across estates and neighborhoods, the installation of Closed-Circuit Television (CCTV) cameras offers a necessary layer of security against theft and break-ins. However, this technology, designed to protect property, often introduces a significant tension with the fundamental right to privacy, especially concerning neighboring plots and shared community spaces. When a homeowner aims a camera over their fence, they may unintentionally transform themselves from a concerned resident into an unlawful Data Controller.


Recent determinations by the Office of the Data Protection Commissioner (ODPC) and rulings from the High Court clarify that residential CCTV is not exempt from regulation and must strictly adhere to the provisions of the Data Protection Act, 2019 (the Act). Understanding these requirements is vital for any resident or Resident Association seeking to install or regulate security systems within their community.


1. The Legal Framework: When Does Your Camera Become a Data Controller?

The installation and operation of a modern CCTV system, which captures and records images, voices, or movements, involves the processing of personal data. Personal data is defined broadly to include any information relating to an identified or identifiable natural person. This includes biometric and physiological identifiers, such as a person's image recorded by a camera system.


The Office of the Data Protection Commissioner (the Office) is established to regulate the processing of personal data and ensure compliance with the principles set out in Section 25 of the Act. When a resident or an estate association installs a system that records data, they assume the legal obligations of a Data Controller.


The cornerstone of compliance rests on adherence to core Data Protection Principles:

  • Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Data must be collected for explicit, specified, and legitimate purposes (e.g., security) and not further processed in a manner incompatible with those purposes.
  • Data Minimisation: The data collected must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.


If a security measure, such as a CCTV system, captures data beyond the perimeter necessary for the stated security objective, it immediately risks breaching these core principles and infringing on the constitutional right to privacy.

Get guided support If you are dealing with a data protection issue:
Individuals: Use the self-assessment prompts to clarify your concern and understand possible next steps: Self Assessment
Organisations: Use the structured compliance prompts to identify the issue and determine the practical actions required: DP Services


2. The Critical Test: Personal Space vs. Surveillance

The DPA contains an exemption under Section 51(2) which states that the processing of personal data by an individual in the course of a purely personal or household activity is exempt from the Act's provisions. However, judicial and regulatory scrutiny has shown that this exemption is interpreted very narrowly.


The Boundary of Exemption - The Mark Ross Case

In the determination involving Mark Ross vs. Graeme Thompson (ODPC Complaint No. 2431 of 2023), the Data Commissioner illustrated the narrow confines of the household exemption. The Complainant alleged the Respondent’s CCTV installation violated his privacy by monitoring movements in and out of his residence.


The ODPC’s investigations confirmed that the two CCTV cameras were installed at the entrance gate point of the Respondent’s residence and pointed directly to the main road outside the gate. They collected data related only to persons and movements into and out of the Respondent’s property and along the frontage of the road. The cameras did not point toward the Complainant’s residence, nor were they monitoring movements into or out of the Complainant’s residence.


Consequently, the ODPC determined that the use of the CCTV by the Respondent to capture video and sound recording within his premises comprised processing of personal data in the course of a purely personal or household activity, which is exempt from the provisions of the Act under Section 51(2).


Key takeaway for residents: To rely on this exemption, your camera's field of view must be strictly confined to your property, entryway, or the public area necessary for securing your premises, without actively monitoring neighboring private spaces.


The Risk of Intrusion - The Lilian Nderitu Case

When the camera angle crosses the property boundary and encroaches upon a neighbor’s private life, the exemption vanishes, and liability is triggered.


In Lilian Nyawira Nderitu and John Gitahi Mureithi vs. Josephat Karungo and Freshia Mugo Waweru (ODPC Complaint No. 0596 of 2025), the Complainants alleged that CCTV cameras installed by their neighbors intruded upon their private residence. They stated that the cameras’ fields of view extended into their kitchen and surrounding areas, causing stress and emotional distress due to continuous surveillance.


Although the Respondents claimed the cameras were installed for legitimate security concerns after a burglary attempt, the ODPC found they breached the Act because they failed to demonstrate that they ensured the camera’s range did not capture neighboring property. The Complainants’ home is a private space, and continued surveillance from a neighboring property, even if unintentional, constitutes unauthorized processing of personal data contrary to Section 25(a), (b), (c), and (d) of the Act.


The fact that the Respondents later repositioned the camera was taken as an admission that its earlier range extended into the Complainants’ property. Because the delay in correcting this infringement took almost a year, the Complainants suffered prolonged interference with their privacy. The ODPC determined the Respondents were liable for these infringements and ordered them to pay the Complainants KES 200,000 in compensation.


Key takeaway for residents: Intentional harm is not required for a breach. If your camera captures your neighbor's private activities (like viewing into their kitchen or garden), you are processing their data unlawfully, regardless of your security intentions.


3. Mandatory Compliance: The Burden of Registration

The issue of residential CCTV usage goes beyond just camera angles; it involves mandatory registration as a Data Controller.


The High Court has underscored the strictness of compliance. In judicial review proceedings concerning CCTV use (related to the Kennedy Ondieki vs. Hellen Maeda principle), the High Court ruled that Registration with the Data Commissioner was mandatory, even if the CCTV was only for private security use. The courts emphasized that the domestic/household use exemptions in the DPA will be narrowly read. This means that if a system captures any public space or affects neighbors, the Data Controller must register with the ODPC. Even small-scale CCTV use may trigger registration and compliance.


Obligations for Residents

For Resident Associations or individual residents planning CCTV installation, the legal requirements demand proactive steps:

  1. Justify the Processing (Lawful Basis) - Processing personal data must have a lawful basis (Section 30 of the Act). While security may constitute a "legitimate interest", this interest must be weighed against the data subject's privacy rights. The ODPC scrutinizes whether this legitimate interest passes the necessity test, meaning the controller must prove that no less intrusive means exist to achieve the security goal.
  2. Ensure Proportionality (Data Minimisation) - The system must be designed to capture only the minimum data required for security. If the Respondents rely on legitimate interest for security, they must pursue it proportionately and within the confines of the law. This includes physically adjusting camera angles to exclude neighboring private areas.
  3. Right to Rectification and Erasure - Data controllers have an obligation to rectify or erase personal data that is irrelevant, excessive, or obtained unlawfully, and they must do so without undue delay. In the Nderitu case, the delay of almost a year in adjusting the camera contributed to the finding of liability and subsequent compensation.
  4. Notification - Although the Nderitu case did not explicitly center on notification, the Act generally requires Data Controllers to notify subjects about the processing of their data, including the purpose, security measures, and the identity of the controller (Section 29). While providing formal notification to all passersby might be impractical for residential CCTV, clear signage indicating surveillance is a minimum requirement for public-facing cameras.

4. What a Resident Must Do

For anyone operating or planning residential surveillance, the consequences of non-compliance, ranging from enforcement notices to significant financial compensation (as seen in the KES 200,000 awarded in the Nderitu case), are substantial.


Individuals should implement the following best practices:

  • Audit Camera Placement - Regularly check the physical positioning and video feed of all cameras to ensure the fields of view are strictly limited to the intended security perimeter (e.g., your gate, driveway, or the public road immediately adjacent to your property). They must not extend into neighboring kitchens, gardens, or private entrances.
  • Acknowledge and Act on Complaints - If a neighbor complains that your camera is intruding on their property, you must investigate and rectify the situation without undue delay. Delaying rectification, as happened in the Nderitu case, demonstrates interference with privacy and increases liability.
  • Evaluate Registration Needs - Given the High Court's narrow interpretation of the domestic use exemption, individuals operating systems that cover common areas or public roads should consult the ODPC regarding registration, as even small-scale systems may require compliance.
  • Transparency - If cameras cover an entryway or common space, ensure highly visible signage is placed to inform visitors and residents that data is being collected and the purpose for that collection, addressing the spirit of the right to be informed (Section 26(a)).


The judicial trend firmly establishes that security measures cannot be deployed at the expense of a neighbor's privacy. When installing a CCTV system, the guiding principle must be proportionality: collect only the data that is absolutely necessary, and ensure your pursuit of security does not become an invasion of someone else's sanctuary. In essence, if you install surveillance, you become a custodian of your neighbors' privacy, and the law demands you manage that data responsibly and restrictively.


---

info@mzizi-africa.com

---

The materials on this website are intended to provide a general summary of the law and do not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact or situation.

Back to blog
About Us

We are organized under the laws and bar rules of Kenya.

Nairobi Office : Maziwa Lane, Block 1, Ground Floor, P.O. Box 3336 Nairobi 00100, KENYA Tel : +254721640667

Email : info@mzizi-africa.com

RL Partners

Mombasa: Canon Towers II, Bandari Wing, 2nd Floor, Moi Avenue, P.O. Box 41742 Mombasa 80100

Eldoret: Asai Complex, 1st Floor (Next to Equity Bank), Kisumu Road, P.O. Box 1315 Kapsabet 30300

  • Maestro
  • Mastercard
  • PayPal
  • Visa
  • Discover

By using this website, you agree to our use of cookies. We use cookies to provide necessary site functionality and provide you with a great experience.