Body cameras require immediate disclosure under GDPR, EU court rules

The Court of Justice of the European Union delivered its final data protection ruling of 2025 on December 18, establishing that personal data collected through body cameras falls under Article 13 of the General Data Protection Regulation. The judgment resolves a case against Stockholm Public Transport, determining that passengers must receive immediate notification when body cameras record them during ticket inspections.

According to Advocate General Medina's opinion delivered August 1, 2025, the classification of data collection as direct does not require the data subject to knowingly provide information or take particular action. Data obtained from observing individuals is considered collected directly from them under GDPR provisions.

The Swedish Authority for Privacy Protection fined AB Storstockholms Lokaltrafik 16 million kronor in June 2021 after finding the public transport operator violated multiple GDPR provisions through body camera usage from December 2018 onward. The authority allocated 4 million kronor specifically for inadequate information provision to passengers.

Stockholm Public Transport equipped ticket inspectors with body cameras that continuously record images and sound throughout work shifts. The cameras feature circular memory that automatically deletes recorded material after one minute unless inspectors suspend deletion by pressing a button. Inspectors must preserve recordings when issuing surcharges or documenting threats against staff.

The Kammarrätten i Stockholm set aside the supervisory decision in January 2023, ruling that Article 13 does not apply to body camera data collection. That court determined the wording "collected from the data subject" indicates some deliberate action by individuals is required, which cannot occur through passive camera recording.

The Högsta förvaltningsdomstolen referred the case to the European Court of Justice on June 13, 2024, seeking clarification on whether Article 13 or Article 14 applies when body cameras obtain personal data. The distinction carries significant implications for timing requirements and possible exemptions from information obligations.

Article 13 requires controllers to provide information at the time personal data are obtained. Article 14 permits information provision within reasonable periods, generally one month, when data comes from sources other than the subject. The indirect collection provision includes exceptions when providing information proves impossible or involves disproportionate effort.

The Advocate General's opinion emphasizes that collection requires action by controllers rather than data subjects. The term "collected from the data subject" reflects the source of data rather than active participation in providing it. When subjects serve as the data source with no intermediary between them and controllers, Article 13 applies.

Article 14 applies when controllers obtain data from sources other than subjects, including third-party controllers, publicly available sources, data brokers, or other data subjects. The provision requires controllers to inform subjects about the source of personal data, distinguishing its scope from direct collection scenarios.

The opinion states that data subjects become the source of data collected by body cameras through mere physical presence in areas captured by cameras. Controllers collect data directly from subjects through observation, triggering immediate information obligations rather than delayed notification periods.

Stockholm Public Transport argued the layered approach common in video surveillance aligns better with Article 14's scheme than Article 13's requirements. The company contended that difficulties in providing individual information before recording begins should permit application of Article 14's disproportionate effort exception.

The Advocate General rejected arguments that practical challenges justify applying Article 14. The opinion notes that appropriate measures for providing information depend on context and intrusion levels, with body camera surveillance presenting significant privacy risks comparable to fixed video surveillance systems.

European Data Protection Board Guidelines on video surveillance demonstrate the layered approach remains practical for body cameras. Initial notification can occur through warning signs providing essential information, while complete details become available through easily accessible secondary sources like websites or QR codes.

The opinion emphasizes that applying Article 14 to body camera scenarios would undermine Article 13's effectiveness. Allowing controllers to avoid immediate notification despite collecting data directly from subjects creates risks of unnoticed data capture and hidden surveillance practices.

Recital 61 of GDPR states information should be given at the time of collection from subjects or within reasonable periods when personal data come from another source. The explicit reference to sources in both the recital and Article 14's requirement to inform subjects about data origins confirms that source identification distinguishes the provisions' respective scopes.

Stockholm Public Transport referenced the Court's December 2014 judgment in Ryneš concerning camera surveillance at private residences. That decision addressed whether the household exemption applied to cameras monitoring public spaces, with the Court noting Directive 95/46/EC allowed consideration of legitimate interests under various provisions including Article 11.

The Advocate General concluded the Ryneš judgment lacks relevance for distinguishing Articles 13 and 14 under GDPR. That case concerned the household exception rather than information obligations, and time frames for providing information differ between the previous directive and current regulation. Recital 61 clarified the distinction between direct and indirect collection by explicitly referencing data sources.

The Swedish Authority for Privacy Protection argued that camera surveillance requires information provision before processing begins, making subjects who knowingly enter monitored areas enable data collection through conscious behavior. Controllers play active roles in collecting data rather than subjects.

Organizations implementing body camera systems must provide layered information starting with warning signs indicating surveillance zones. The most important details appear on initial signage while comprehensive information becomes available through accessible supplementary materials.

Article 12 requires controllers to take appropriate measures providing information in concise, transparent, intelligible, and easily accessible forms using clear language. The provision applies equally to direct collection under Article 13 and indirect collection under Article 14.

Stockholm Public Transport and the Danish Government contended that Article 13 applies only when subjects actively provide data, citing Article 13's requirement to inform subjects whether they must provide data and consequences of refusal. The Advocate General noted such information is required only in specific cases, not all circumstances.

Article 14 requires controllers to inform subjects about categories of personal data concerned when collection is indirect. Stockholm Public Transport interpreted this as evidence that Article 13 assumes subjects already know what data is collected. The opinion explains the requirement reflects controllers processing data from external sources without direct subject contact at collection time.

The principle of transparency governs personal data processing under Article 5, requiring lawful, fair, and transparent treatment of information relating to subjects. Information obligations in Articles 13 and 14 serve as specific expressions of this fundamental principle.

Delimiting scope based on data source enables fair and transparent processing. Direct collection requires immediate information provision when controllers contact subjects. Indirect collection permits reasonable delays precisely because controllers lack direct subject contact.

Immediate notification through body camera surveillance allows subjects to become aware of collection, enabling rights exercise from collection time or before entering monitored zones. Early awareness permits individuals to refrain from entering surveillance areas or adapt behavior accordingly.

Processing personal data must satisfy transparency requirements with regard to concerned subjects, ensuring GDPR objectives of protecting fundamental rights and freedoms. Article 1 and recitals 1 and 10 establish the regulation's purpose of ensuring high protection levels for privacy rights as enshrined in the Charter of Fundamental Rights Article 8 and Treaty on the Functioning of the European Union Article 16.

Accepting Article 14 application for body camera collection would mean subjects receive no information at collection time despite serving as data sources. This circumvention of Article 13 would constitute serious infringement of information rights and undermine the provision's practical effect.

Distinguishing provisions based on whether subjects actually knew about collection would blur boundaries between articles and make application dependent on random circumstances. The objective source criterion provides clear delimitation enabling consistent application.

Article 29 Working Party Guidelines on transparency state Article 13 applies when subjects consciously provide personal data to controllers or when controllers collect data from subjects by observation. Examples of observation-based collection include automated data-capturing devices and software such as cameras.

Awareness of collection results from applying Article 13 and the obligation it creates for controllers to provide information at collection time. Knowledge is not a prerequisite for Article 13 but rather the consequence of mandatory information provision.

Where surveillance areas exist, relevant warning signs must appear so subjects become aware of collection before entering monitored zones. By knowingly entering monitored areas, subjects allow personal data collection to proceed.

German data protection authorities established unified fine procedures for standardized GDPR enforcement in June 2025, while Dutch authorities reprimanded food delivery companies for unauthorized data transfers through tracking technologies. Privacy advocates filed complaints against major Chinese platforms in July 2025 for systematically violating data access rights.

The body camera ruling arrives as European regulators examine how personal data processing rules apply to artificial intelligence systems and advertising technologies. The European Commission proposed major GDPR amendments in November 2025 addressing AI development and individual privacy rights.

Estonia's Tallinn Circuit Court upheld data protection authority orders requiring written legitimate interest assessments for CCTV surveillance in June 2025. That ruling emphasized technical specifications determine whether surveillance systems process personal data under GDPR definitions regardless of controllers' stated intentions.

The Advocate General noted that controllers must implement data protection by design and default under Article 25, paying particular attention to children's protection when designing processing systems. German authorities called for enhanced protections requiring default settings account for children's vulnerability.

Processing special categories of personal data including biometric information for identification purposes falls under Article 9 restrictions. Body cameras capturing facial features during continuous recording may process such sensitive data depending on system capabilities and controller intentions.

Companies operating CCTV systems for customer behavior analysis or security purposes must prepare for written assessment requirements when authorities investigate practices. Digital marketing firms utilizing video analytics or location-based services should review legitimate interest documentation.

The European Data Protection Board clarified Digital Services Act compliance on September 11, 2025, addressing how platforms must navigate overlapping DSA and GDPR requirements. The guidance emphasized enhanced protection under both regulatory frameworks.

Article 58 grants supervisory authorities powers to order controllers to provide information, conduct data protection audits, and notify subjects of violations. Authorities can impose administrative fines up to 20 million euros or 4 percent of total worldwide annual turnover for infringement of information obligations.

The judgment confirms broader enforcement patterns where regulators scrutinize actual system capabilities rather than accept general claims about data minimization. Court decisions delivered in September 2025 established that personal opinions inherently relate to authors without requiring additional analysis.

Marketing teams deploying surveillance or monitoring technologies for customer insights face enhanced accountability documentation requirements. Video analytics systems, emotion recognition tools, and behavioral tracking mechanisms must align technical implementations with legal justifications.

Brussels proposed sweeping GDPR changes in November 2025 to benefit artificial intelligence developers, though Netherlands raised concerns that fundamental modifications could substantially weaken privacy protections without reducing regulatory burden.

The body camera case distinguishes from situations where German courts examined IP address processing and requested EU clarification on data protection rules. Those proceedings addressed whether compensation rights under Article 82 can be denied when subjects knowingly cause infringements solely to document violations.

Privacy by design principles mandate implementing protection measures when determining processing means and during processing itself. For marketing technology development, this requires building privacy protections into customer data platforms and analytics systems from initial design phases rather than adding compliance features retroactively.

The ruling establishes clear precedent for observation-based data collection across transportation systems, retail environments, workplaces, and public spaces. Organizations must assess current notification practices against immediate information requirements regardless of technical challenges in individual notification.

Consent mechanisms for body camera recording remain distinct from information obligations. Article 6 establishes lawful bases for processing including consent, contract necessity, legal obligations, vital interests, public tasks, and legitimate interests. Controllers must identify valid legal bases independently of transparency requirements.

Legitimate interest assessments under Article 6(f) require balancing controllers' interests against subjects' rights and freedoms, considering reasonable expectations based on controller-subject relationships. Body camera usage for preventing violence against staff may constitute legitimate interests when properly balanced and documented.

Data minimization requires limiting collection and retention to what is necessary for specified purposes. Circular memory systems that automatically delete recordings after short periods demonstrate technical measures implementing minimization principles when preservation is unnecessary.

Storage limitation principles mandate keeping personal data in identifiable form no longer than necessary for processing purposes. The one-minute automatic deletion period reflects proportionate retention when only exceptional circumstances require preservation.

Subject rights under Articles 15 through 22 include access, rectification, erasure, restriction, data portability, objection, and protections against automated decision-making. Controllers must provide information about these rights when notifying subjects about data collection.

The judgment reinforces transparency as GDPR's cornerstone principle, guaranteeing openness about all processing activities. Organizations cannot avoid immediate notification requirements by claiming practical difficulties when collecting data directly from subjects through observation.

Enforcement actions demonstrate regulatory consensus that technical compliance requires functional transparency rather than mere procedural adherence. Authorities evaluate whether subjects receive genuine choice and meaningful information rather than accepting formal compliance with information requirements.

Timeline

• December 2018: AB Storstockholms Lokaltrafik begins body camera usage for ticket inspections
• June 2021: Swedish Authority for Privacy Protection issues supervisory decision fining Stockholm Public Transport 16 million kronor
• January 2023: Kammarrätten i Stockholm sets aside fine for inadequate information provision
• June 13, 2024: Högsta förvaltningsdomstolen refers preliminary ruling question to European Court
• August 1, 2025: Advocate General Medina delivers opinion supporting Article 13 application
• September 11, 2025: European Data Protection Board clarifies DSA compliance addressing coordination with GDPR requirements
• November 2025: European Commission proposes major GDPR amendments for AI development
• December 18, 2025: Court of Justice delivers final judgment confirming Article 13 applies to body cameras

Summary

Who: The Court of Justice of the European Union ruled in a case between the Swedish Authority for Privacy Protection and AB Storstockholms Lokaltrafik, a public transport operator in Stockholm equipped with body cameras for ticket inspectors.

What: The Court established that personal data collected through body cameras constitutes direct collection from data subjects under Article 13 GDPR, requiring immediate information provision at collection time rather than delayed notification under Article 14.

When: The judgment was delivered December 18, 2025, following the Advocate General's opinion from August 1, 2025, in proceedings originating from a June 2021 supervisory decision addressing body camera usage from December 2018 through June 2021.

Where: The ruling applies throughout the European Union and European Economic Area, establishing binding interpretation of GDPR Articles 13 and 14 for all member state courts and data protection authorities supervising body camera surveillance systems.

Why: The distinction matters because Article 13 requires controllers to provide information immediately when obtaining data, while Article 14 permits delayed notification and includes exceptions for impossible or disproportionate information provision, creating fundamentally different compliance obligations.