Introduction to European Privacy Laws
With the widespread use of video surveillance, body cameras and the rapid expansion of AI and facial recognition, video redaction has become a significant area of concern for privacy protection worldwide. Different regions have implemented privacy laws that govern how personal data, including video footage, is collected, processed and shared. This guide provides a focused look at privacy laws, with an emphasis on European regulations related to video redaction, and provides strategies for complying with these laws.
Why do countries have data privacy laws?
Data privacy is important because individuals need to have control over their personal information and how it is used. When companies collect and use personal data, they have a responsibility to protect that data from unauthorised access or misuse.
Reasons why data privacy is important in Europe include:
Personal security
Customer data often includes sensitive information such as social security numbers, financial information or medical records. Even information that identifies peoples’ interests and preferences should be protected as private and personal. Data breaches can lead to information being misused for identity theft and other fraudulent activities.Trust
Customers trust organisations to handle their personal information responsibly. If a company fails to protect personal data, it can damage the trust that people have in the company and result in a loss of business.Ethical responsibility
Companies have a moral responsibility to protect the privacy of people. Collecting and using data for legitimate business purposes is acceptable, but misusing it or failing to protect the data from others, is not.
European countries have implemented laws and regulations to protect the privacy rights of their citizens and to ensure that organisations are using personal data ethically.
Proliferation of privacy laws makes navigation difficult
Privacy laws have never been as important and topical as they are today, now that data travels the world through borderless networks. More than 120 jurisdictions have data privacy laws.
While protection laws are generally good news for those who have data stored or transferred online, it is it not always good for those who have to navigate the challenges resulting from variations in regulations.
Some countries have sectoral coverage, which means that different industries in the country have their own data privacy laws. Other countries have omnibus coverage, with at least one national data protection law in addition to provincial or sectoral regulations.
This guide provides an overview of the many laws and regulations that regulate data protection and privacy in selected European countries.
Key European privacy laws
1. General Data Protection Regulation (GDPR) - Europe
Scope
Applies to all companies handling personal data of EU citizens, regardless of where the company is based.Core principles
Data minimisation, consent, transparency, and accountability.Video Redaction
Under GDPR, any video footage that identifies a person is considered personal data. This means businesses must ensure that any recorded or stored video complies with the law, ensuring that any identifiable individual has provided consent, or that another legal basis exists for the data processing (e.g., legitimate interest or legal obligation). Video redaction helps to anonymise this data to avoid potential GDPR violations.Right to Erasure
Individuals have the "right to be forgotten," which includes having their identifiable data (including video) erased.Penalties
Fines for GDPR violations can reach up to 4% of a company’s global turnover or €20 million, whichever is higher.In addition to the GDPR, the EU has also implemented the ePrivacy Directive, which regulates the use of electronic communication services and technologies, such as cookies and direct marketing.
Overview of European privacy laws and video redaction
Europe has some of the strictest privacy laws in the world, with the GDPR serving as the cornerstone of data protection and privacy for personal data, including video surveillance.
EU GDPR and Video Redaction
GDPR recognises video footage as personal data when individuals are identifiable. To comply with GDPR when handling video data, organisations must:
Anonymise or redact videos where personal data (such as faces or license plates) can be clearly identified unless explicit consent is given or there is a lawful basis for processing.
Minimise data collection and only retain footage for the shortest time necessary to achieve the purpose.
Provide transparency by informing individuals when and where they are being recorded.
Respond to data subject access requests (DSARs) which can include requests to access, delete or rectify their personal data captured in video form.
Video redaction techniques for GDPR compliance:
Face Blurring
Obscuring identifiable features, such as faces, to ensure anonymity.License Plate Blurring
Blurring out sensitive personal information like vehicle registration numbers.Body Redaction
Redacting identifiable clothing, body shapes or tattoos that could identify individuals.Object Removal
Removing personal objects that may link to an individual, such as phones or personal belongings.
European guidelines for video surveillance and CCTV
Several EU member states have local regulations supplementing the GDPR, particularly around CCTV use:
Germany (BDSG)
The Federal Data Protection Act supplements GDPR and applies stringent requirements to video surveillance. Video recordings must comply with GDPR, and additional scrutiny is applied in public spaces.
France (CNIL)
The French data protection authority requires organisations to inform individuals of surveillance, obtain prior approval in certain cases, and ensure strict redaction measures.
UK (DPA 2018)
Post-Brexit, the UK's Data Protection Act 2018 mirrors GDPR but retains the same privacy and redaction obligations for video.
Selected countries: Video redaction requirements
Finland
In Finland, video surveillance and redaction practices are governed by both the GDPR and national laws such as the Data Protection Act (2018). These regulations set guidelines for video redaction to comply with data protection requirements.
The Data Protection Ombudsman oversees GDPR compliance in Finland and offers guidelines on video surveillance and redaction, which include sector-specific regulations, for example:
Public Spaces: Video surveillance in public spaces (such as shopping centres or streets) is subject to stricter regulations. Any personal data captured in public must be redacted if shared for purposes other than its original intent. Law enforcement authorities also have specific guidelines to redact video when sharing it with third parties to protect individuals' privacy.
Private Properties: In cases where private property owners use video surveillance, such as CCTV in residential buildings, video footage should be redacted if it captures individuals outside the property (e.g., on sidewalks or neighbouring properties) to avoid breaching their privacy rights.
Workplace Surveillance Rules. Video surveillance in Finnish workplaces is subject to labour law protections and must comply with privacy laws. Employers are required to inform employees about surveillance, and they cannot use footage for purposes other than the originally stated reason (e.g., security). When video footage is shared externally, redaction of identifiable information is typically required.
Spain
The Spanish Data Protection Agency (AEPD) Guidelines include sector-specific regulations, such as:
Public Spaces: Video surveillance in public places, such as streets or public buildings, is regulated more strictly. Law enforcement or other authorities must ensure proper redaction to avoid infringing on individual privacy rights when disclosing footage.
Private Property: For video surveillance on private property, consent is necessary if footage captures individuals outside the property (e.g., passersby), and redaction is recommended if footage is shared with external parties.
European data and privacy enforcement measures
In Europe, data and privacy enforcement measures are primarily governed by the General Data Protection Regulation (GDPR). Key enforcement mechanisms include:
Supervisory Authorities (SAs)
Each EU member state has a Data Protection Authority (DPA) that oversees GDPR compliance.
DPAs can investigate complaints, conduct audits, issue warnings, and impose fines.
The European Data Protection Board (EDPB) coordinates cross-border cases.
Penalties and Fines
Organisations can face fines up to €20 million or 4% of global annual turnover, whichever is higher, for severe violations (e.g., non-compliance with consent rules).
Lesser violations can incur fines up to €10 million or 2% of turnover.
Corrective Measures
DPAs can demand data processing to stop, restrict or modify practices.
They can also enforce data erasure or impose temporary data bans.
Legal Recourse
Individuals can lodge complaints with DPAs or seek judicial remedies, including compensation for data breaches or privacy violations.
Data Breach Notifications
Organisations must notify relevant DPAs within 72 hours of a personal data breach, along with affected individuals if the breach poses significant risks.
How can you comply with European privacy laws?
To comply with European privacy laws, especially the GDPR, organisations must follow key principles: obtain clear consent before collecting personal data, ensure transparency by informing individuals how their data is processed, and implement robust security measures to protect data.
Data minimisation should be practiced—only collect data that is necessary for specific purposes. Organisations must also facilitate data subject rights, such as access, rectification and deletion requests, and maintain a clear data retention policy.
Regularly conduct data protection impact assessments (DPIAs) and appointing a Data Protection Officer (DPO) may also be required for compliance.
Strategies for video redaction in Europe
To comply with European privacy laws, organisations using video footage should incorporate the following best practices for redaction:
Automated Redaction Software
Using AI-powered tools for efficient and scalable redaction. These tools automatically detect and blur faces, license plates and other identifiers.Privacy by Design
From the outset, design video surveillance systems with privacy in mind, using technologies that enable easy redaction and ensure that minimal footage is captured.Consent Management
Obtain explicit consent from individuals before capturing video.Limit Access
Restrict access to raw video footage to authorised personnel and maintain a clear audit trail of who accessed and edited the video.Retention Policies
Establish a clear data retention policy, deleting footage after a set period unless there is a legal need to retain it longer.
Tools for Video Redaction
Facit works with customers in Europe and is involved in video redaction to meet privacy regulations in 23 countries around the world.
Our AI-driven redaction software, Identity Cloak, is a powerful and popular redaction solution. Notable functions and benefits of Identity Cloak include:
Rapid video redaction of all personal data (e.g., faces, licence plates)
Redact entirely in-house with minimal training
Auto-tracking features increase output accuracy and maximise efficiency
Flexible redaction options
Intuitive user interface
Complies with European privacy regulations
Flexible licensing to ensure predictable compliance budgets
Identity Cloak is specifically designed to enable organisations to take full control of their redaction processes. It provides a superior, more accurate and more cost-effective solution than outsourcing, manual redaction or using editing tools that were not specifically designed to meet compliance needs.
Rights of Data Subjects in Europe
In Europe, the GDPR provides a comprehensive framework that grants individuals, known as data subjects, specific rights regarding the collection, processing, and storage of their personal data. These rights are designed to give individuals more control over their data, enhance transparency, and ensure that organisations process personal data lawfully.
Here are the key rights of data subjects under the GDPR:
1. Right to Access (Article 15)
Data subjects have the right to:
Obtain confirmation from a data controller (the organisation handling the data) whether their personal data is being processed.
Access their personal data, including receiving a copy of the data free of charge.
Receive information about the purposes of the data processing, categories of personal data involved, recipients to whom the data has been disclosed, and how long the data will be stored.
2. Right to Rectification (Article 16)
Data subjects have the right to:
Request that inaccurate or incomplete personal data be corrected or completed without undue delay.
Ensure that organisations update inaccurate information to reflect the most accurate and current data.
3. Right to Erasure (Right to be Forgotten) (Article 17)
Data subjects can request the deletion of their personal data under certain circumstances, including:
The data is no longer necessary for the purposes for which it was collected.
The individual withdraws their consent, and there is no other legal basis for processing.
The data subject objects to the processing, and there are no overriding legitimate grounds.
The data has been processed unlawfully.
The data must be erased to comply with a legal obligation.
Exceptions: The right to erasure is not absolute and does not apply if the data is needed for reasons like legal obligations, public interest (e.g., public health), or the establishment, exercise or defence of legal claims.
4. Right to Restriction of Processing (Article 18)
Data subjects have the right to request a restriction on the processing of their personal data in specific cases, such as:
When they contest the accuracy of the data, allowing the controller time to verify the data.
When the processing is unlawful but the individual does not want the data erased.
When the controller no longer needs the data but the individual requires it for legal claims.
When they have objected to the processing, pending the verification of whether the controller’s legitimate grounds override their objection.
5. Right to Data Portability (Article 20)
Data subjects can request:
The transfer of their personal data to themselves or another controller in a structured, commonly used, and machine-readable format (e.g., a CSV file).
This applies to data that the individual provided, which is processed based on their consent or contract, and when processing is carried out by automated means.
6. Right to Object (Article 21)
Data subjects have the right to object to the processing of their personal data in the following situations:
Direct Marketing: Individuals can object at any time to the use of their data for direct marketing purposes, and companies must stop processing data for that purpose immediately.
Legitimate Interests: Data subjects can object when their personal data is being processed based on the controller’s legitimate interest or a task in the public interest unless the controller can demonstrate compelling legitimate grounds that override the individual’s rights.
Research and Statistics: Individuals can object to data processing for scientific or historical research, or statistical purposes unless it is necessary for public interest reasons.
7. Right Not to Be Subject to Automated Decision-Making (Article 22)
Data subjects have the right to:
Not be subject to decisions made solely by automated means (e.g., algorithms) that have legal or significant effects on them, such as automated credit approval or hiring processes.
This right includes cases of profiling that produces legal effects or similarly significant consequences.
Exceptions: Automated decision-making is allowed if it is necessary for entering or performing a contract, authorised by law, or based on explicit consent. In such cases, individuals have the right to receive human intervention, express their point of view, and contest the decision.
8. Right to Withdraw Consent (Article 7)
If the processing of personal data is based on the data subject’s consent, they have the right to withdraw that consent at any time. Organisations must make it as easy to withdraw consent as it is to give it. Withdrawal of consent does not affect the lawfulness of processing based on consent before it was withdrawn.
9. Right to Be Informed (Article 13 & 14)
Data subjects have the right to be informed about:
How their personal data is collected, processed, and for what purposes.
The identity and contact details of the data controller and any data protection officer (DPO).
The recipients or categories of recipients of their data.
Their rights under the GDPR, including the right to withdraw consent, lodge a complaint, and how long their data will be stored.
10. Right to Lodge a Complaint (Article 77)
Data subjects have the right to:
Lodge a complaint with a supervisory authority if they believe their rights under the GDPR have been violated.
Typically, this will be the national Data Protection Authority (DPA) in the EU country where they reside, work, or where the infringement occurred.
11. Right to Compensation (Article 82)
Data subjects have the right to:
Seek compensation for damages resulting from a breach of the GDPR by the data controller or processor.
This includes both material (financial loss) and non-material (e.g., distress) damages.
Conclusion: European Data Subjects
The GDPR empowers data subjects in Europe by giving them control over their personal data. Organisations must respect rights and implement processes to comply with requests in a timely, transparent manner. Failure to do so can lead to significant penalties and loss of trust.
Future trends in video redaction privacy in Europe
AI and Machine Learning
AI technologies are improving video redaction by automatically detecting and obscuring personal data, making the process faster and more accurate.Real-time Video Redaction
Emerging solutions facilitate live video redaction to enable compliance even in streaming environments.Integration with Facial Recognition
A growing concern for privacy regulators, as companies implementing facial recognition may need advanced redaction methods to ensure compliance with laws in most European countries.
Conclusion: European Privacy Laws
In the context of evolving global privacy laws, video redaction is essential for organisations using video surveillance to maintain compliance. Europe’s GDPR has set a high standard, pushing organisations worldwide to adopt stronger privacy protections.
By understanding the nuances of these regulations and implementing redaction strategies, businesses can safeguard individuals' privacy while utilising video technologies.
Organisations must stay vigilant, leveraging both technology and legal guidance to ensure that their use of video footage aligns with global privacy standards, particularly in Europe where the penalties for non-compliance are severe.
