As the festive season draws near, the Court of Justice of the European Union (CJEU) has added something to the compliance calendar, a ruling that unwraps long standing uncertainty around transparency obligations under the General Data Protection Regulation (GDPR) for body worn cameras.
Background
In its decision in C‑422/24 Storstockholms Lokaltrafik (SL), the CJEU ruled that when ticket inspectors record passengers during ticket checks, the personal data captured is obtained directly from the individual. This means organisations must comply with Article 13 of the GDPR and inform individuals at the point of data collection about who is processing their data, why it is being processed, and how it will be used. This contrasts with the obligations within Article 14 of the GDPR, which applies when personal data is collected indirectly, i.e. from sources other than the individual themselves, allowing greater flexibility in when and how that information is provided. The ruling reinforces the GDPR’s core notice at collection principle, rejecting interpretations that could delay or dilute transparency where individuals themselves are the source of the data.
For businesses, this decision offers much needed clarity on the use of video surveillance technologies and is likely to set an important precedent across the EU for how such systems should be operated in compliance with data protection law.
The facts
SL, a public transport company operating in Sweden, equipped its ticket inspectors with body worn cameras to deter threats and violence and to verify passenger identity when issuing penalty fares. The devices captured audio and video recordings in short, continuous loops, automatically overwriting footage every minute unless it was saved for enforcement purposes. While intended as a safety measure, this practice operated in a legal grey area.
In 2021, the Integritetsskyddsmyndigheten (DPA) audited SL’s practices and concluded that, between December 2018 and June 2021 the use of body cameras breached several GDPR provisions, most notably the failure to provide data subjects with adequate information about the processing of their personal data at the point of collection. As a result, the DPA imposed a significant fine of approximately €1.42 million, including €355,188 specifically for non-compliance with Article 13 of the GDPR.
SL challenged the decision, arguing that the collection of personal data was indirect, meaning that Article 13 GDPR obligations did not apply. The case progressed through the Swedish courts and reached the Högsta förvaltningsdomstolen (Swedish Supreme Administrative Court), which referred two key questions to the CJEU:
- Which GDPR provision applies when personal data is collected via body worn cameras, i.e. does this constitute direct or indirect collection of personal data?
(This distinction is crucial for determining transparency. Article 13 of the GDPR applies when personal data is collected directly from the data subject, requiring organisations to inform the individual at the point of data collection. Whereas Article 14 of the GDPR applies when personal data is obtained from sources other than the data subject, allowing organisations to provide the required information at a later stage).
- Can failure to inform data subjects at the time of collection justify an administrative fine?
The CJEU’s bottom line on transparency
In reaching its decision the CJEU agreed with the DPA’s position, ruling that Article 13 of the GDPR applies to body worn camera recordings because the data is collected directly from the individual, and not from a third-party source. Specifically, the CJEU noted that “the classification of data collection as ‘direct’ does not require either that the data subject knowingly provide data or any particular action on his or her part. Therefore, data obtained from observing the data subject is considered to have been collected directly from him or her.”
The CJEU explained that organisations must provide information immediately at the point of collection and advised using a “multi-layered approach” that combines methods of communication such as clear signage and accessible notices that recordings are taking place. Referring to EDPB Guidelines 3/2019, the CJEU confirmed that transparency can be achieved through:
- First layer: Clear signage or a “warning sign” stating that a recording is taking place.
- Second layer: Along with other mandatory information, a full privacy notice stating the purpose, types of data collected, and identity of the controller made available in an “appropriate and complete manner, in an easily accessible place” such as via a QR code, website, or printed material.
The CJEU explained that if Article 14 of the GDPR applied “the data subject would not receive any information at the time of collection, even though he or she is the source of those data, which would allow the controller not to provide information to that data subject immediately. Therefore, such an interpretation would carry the risk of the collection of personal data escaping the knowledge of the data subject and giving rise to hidden surveillance practices.”
In essence, the CJEU confirmed that real time transparency is non-negotiable. Organisations using body worn cameras must inform individuals immediately when data is collected, not later. The CJEU has closed the door on any attempt to rely on Article 14 of the GDPR as this would allow organisations to delay or avoid informing individuals, creating a risk of hidden surveillance, an outcome incompatible with the GDPR’s objective of ensuring a high level of protection for individual rights.
What should organisations be doing in light of this decision?
Organisations who have implemented or considering implementing body worn cameras are encouraged to:
- Review transparency measures to ensure compliance with relevant GDPR provisions and build these into operational processes and not simply hidden in a privacy policy.
- Update policies and procedures for direct data collection i.e. embed Article 13 GDPR obligations into operational workflows for systems collecting data including body worn cameras, CCTV, or similar technologies.
- Assess technical configurations so that features like short loop recording and override functions are documented and justified to demonstrate compliance with the GDPR principles of data minimisation and purpose limitation.
- Ensure appropriate employee training to understand when and how to provide information to an individual and how to respond to questions about data processing.