Estonian court backs data authority's power to order written assessments

The Tallinn Circuit Court upheld on June 19, 2025, a data protection authority's order requiring a property owner to submit a written assessment of legitimate interest for CCTV surveillance. The landmark ruling confirms that supervisory authorities possess broad enforcement powers under Article 58(2)(d) GDPR to order specific compliance measures.

The case emerged after a neighbor filed a complaint with Estonia's Data Protection Inspectorate regarding CCTV cameras that captured both private property and public road areas. According to court documents, the property owner had installed four cameras on their premises, with at least one camera directed toward neighboring properties and the public street.

The Estonian Data Protection Inspectorate issued an enforcement order on February 2, 2023, requiring the controller to either halt all filming outside their property boundaries or submit a written legitimate interest assessment for continued surveillance of public areas. The authority warned of an 800-euro penalty for each unfulfilled requirement under Section 60 of Estonia's Personal Data Protection Act.

The property owner challenged this decision through multiple court levels, ultimately reaching the Tallinn Circuit Court. The controller argued that requiring written assessment of legitimate interest exceeded the authority's powers under GDPR, as no explicit obligation exists for such documentation.

Technical specifications determine surveillance scope

Central to the dispute was determining whether individuals could be identified from the camera footage. The controller submitted an expert opinion from A. H. Tepper, dated December 29, 2023, claiming the camera system could only identify individuals within 7.5 meters of the lens using DORI standards.

However, the Data Protection Inspectorate challenged this assessment by presenting the camera's English-language specification sheet. According to court records, the technical specifications showed different DORI distances: "detect" at 74.7 meters, "observe" at 29.9 meters, "recognise" at 14.9 meters, and "identify" at 7.5 meters.

The court rejected the controller's expert opinion after analyzing Estonian standard EVS-EN 62676-4:2015 for video surveillance systems. This standard defines "identify" as enabling viewers to determine a person's identity "without doubt," requiring a minimum resolution of 250 pixels per meter.

The court determined that individuals remained identifiable at distances covering both the neighboring property and public road areas. This technical finding supported the authority's jurisdiction over the surveillance system under GDPR provisions.

Household exemption rejected for public surveillance

The controller attempted to invoke GDPR's household exemption under Article 2(2)(c), arguing their surveillance constituted personal domestic activity. The Data Protection Inspectorate and courts rejected this defense based on the European Court of Justice's Ryneš ruling from December 11, 2014.

According to the court's analysis, the Ryneš precedent remains applicable despite predating GDPR. The judgment established that household exemption cannot apply when surveillance systems monitor public spaces or areas outside the controller's property boundaries.

The court noted that Article 2(2)(c) GDPR contains substantially identical language to Article 3(2) of the previous Data Protection Directive 95/46/EC. This continuity preserves the Ryneš interpretation under current data protection frameworks.

The ruling emphasized that the controller's installation of cameras partially monitoring neighboring properties and public roads clearly exceeded domestic activity boundaries. Such surveillance requires compliance with full GDPR obligations, including legitimate interest assessments when processing personal data.

Accountability principle supports written assessment requirements

The court's most significant holding addressed whether data protection authorities can order written documentation of legitimate interest assessments. The controller argued this requirement lacked legal basis and improperly delegated the authority's evaluation responsibilities.

The Tallinn Circuit Court firmly rejected these arguments, citing GDPR's accountability principle under Articles 5(2) and 24(1). According to court reasoning, controllers must demonstrate compliance with data protection principles, not merely assert compliance internally.

The court explained that Article 58(2)(d) GDPR grants supervisory authorities power to "order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period."

This enforcement provision enables authorities to require specific compliance measures, including written assessments when controllers claim legitimate interest as their legal basis. The court characterized such orders as "appropriate" and "not disproportionate" for ensuring GDPR compliance.

The ruling establishes that while GDPR contains no general obligation to prepare written legitimate interest analyses, supervisory authorities can order such documentation during enforcement proceedings. This power supports the regulation's emphasis on demonstrable compliance rather than self-assessment alone.

Marketing industry implications for surveillance technology

The Estonian ruling carries significant implications for the marketing industry's use of surveillance and monitoring technologies. Companies deploying CCTV systems for customer behavior analysis or security purposes must now prepare for potential written assessment requirements when authorities investigate their practices.

Digital marketing firms utilizing video analytics or location-based services should review their legitimate interest documentation. The court's emphasis on technical specifications suggests authorities will scrutinize actual system capabilities rather than accept general claims about data minimization.

The decision reinforces trends toward enhanced accountability documentation across data protection enforcement. Privacy authorities have intensified scrutiny of consent mechanisms and data processing justifications throughout 2025.

For marketing technology providers, the ruling demonstrates that technical implementation details directly impact legal assessments. Companies must ensure their surveillance or monitoring systems align with documented legitimate interest claims through proper technical configurations.

Broader enforcement patterns emerge across Europe

The Estonian decision reflects broader European trends toward stricter data protection enforcement. Privacy advocacy groups have challenged major platforms' legitimate interest claims, with surveys showing only 7% of users support Meta's AI training data use.

Recent enforcement actions demonstrate coordination among European data protection authorities. TikTok faces a €530 million fine for alleged data transfers to China, while German courts have clarified cookie banner compliance requirements.

The Estonian court's technical approach mirrors enforcement patterns where authorities examine actual system capabilities rather than accept compliance claims at face value. Dutch regulators concluded cookie banner investigationsafter organizations implemented technical corrections.

Cross-border enforcement coordination continues expanding through initiatives like the European Data Protection Board's work program. International cooperation efforts include new data transfer frameworks and standardized assessment procedures.

Technical standards shape privacy compliance

The court's detailed analysis of DORI surveillance standards establishes important precedent for technical evaluation in privacy cases. European standard EVS-EN 62676-4:2015 provides specific pixel resolution requirements for different identification levels in video surveillance systems.

These technical specifications directly determine whether surveillance systems process personal data under GDPR definitions. The court emphasized that "direct or indirect" identification capabilities trigger full data protection obligations regardless of controllers' stated intentions.

Marketing companies deploying surveillance or analytical technologies must align technical implementations with legal justifications. Systems capable of individual identification require appropriate legal bases and compliance documentation, even when deployed for aggregate analytics purposes.

The ruling suggests authorities will increasingly rely on technical standards and expert analysis when evaluating surveillance systems. Companies cannot rely solely on vendor claims or internal assessments when demonstrating GDPR compliance to supervisory authorities.

Enforcement powers receive judicial validation

The Tallinn Circuit Court's decision provides crucial judicial backing for supervisory authorities' enforcement approach under Article 58(2)(d) GDPR. The ruling confirms that authorities can order specific compliance measures without overstepping their regulatory mandate.

This judicial validation addresses ongoing debates about enforcement scope and proportionality in data protection proceedings. The court characterized written assessment requirements as reasonable accountability measures rather than excessive regulatory burdens.

The decision establishes that enforcement orders need not identify specific legal provisions mandating written documentation. Instead, authorities can require such measures as appropriate means of achieving GDPR compliance in particular circumstances.

For companies across industries, the ruling signals that supervisory authorities possess broad discretion in selecting compliance measures during enforcement proceedings. Organizations should prepare comprehensive documentation supporting their data processing activities before regulatory contact occurs.

Timeline

• December 16, 2022: Neighbor filed complaint with Estonian Data Protection Inspectorate regarding CCTV surveillance capturing private property and public areas
• February 2, 2023: Data Protection Inspectorate issued enforcement order requiring cessation of surveillance or submission of written legitimate interest assessment
• March 3, 2023: Property owner appealed enforcement decision to administrative authorities
• April 12, 2023: Administrative appeal rejected, confirming original enforcement order requirements
• May 10, 2023: Property owner filed judicial challenge with Tallinn Administrative Court
• January 30, 2024: Administrative court dismissed challenge, upholding enforcement order validity
• February 29, 2024: Appeal filed with Tallinn Circuit Court challenging administrative court decision
• June 19, 2025: Tallinn Circuit Court issued final ruling confirming data protection authority's enforcement powers under Article 58(2)(d) GDPR
• July 14, 2025: Irish privacy advocates demanded DMA enforcement against Amazon's consent practices
• July 16, 2025: TikTok granted permission to challenge €530 million Irish data protection fine
• August 18, 2025: Texas launched investigations into Character.AI and Meta for children's privacy violations

Summary

Who: The Tallinn Circuit Court ruled in favor of Estonia's Data Protection Inspectorate against a property owner who challenged requirements for written legitimate interest assessment documentation.

What: The court confirmed that data protection authorities can order controllers to submit written assessments of their legitimate interest under Article 58(2)(d) GDPR when investigating CCTV surveillance systems that monitor public areas and neighboring properties.

When: The final ruling was issued on June 19, 2025, concluding a case that began with a neighbor's complaint on December 16, 2022, and enforcement action on February 2, 2023.

Where: The case originated in Estonia involving surveillance of private property and public roads in Pärnu, with proceedings conducted through Estonian administrative and appeals courts under European Union data protection law.

Why: The ruling establishes that GDPR's accountability principle requires controllers to demonstrate compliance through written documentation when claiming legitimate interest as their legal basis for processing personal data through surveillance systems.

PPC Land explains

GDPR (General Data Protection Regulation): The European Union's comprehensive data protection framework that took effect in May 2018, establishing strict rules for how organizations collect, process, and store personal data. The regulation requires companies to demonstrate lawful basis for data processing and grants individuals extensive rights over their personal information, with violations potentially resulting in fines up to 4% of global annual revenue.

Legitimate Interest: One of six legal bases for processing personal data under GDPR Article 6(1)(f), allowing organizations to process information without explicit consent when they can demonstrate compelling business needs. Controllers must conduct balancing tests showing their interests outweigh individuals' privacy rights and reasonable expectations, with this basis unable to override fundamental rights.

Article 58(2)(d) GDPR: The specific provision granting supervisory authorities power to order controllers or processors to bring processing operations into compliance with GDPR requirements in a specified manner and timeframe. This enforcement tool enables data protection authorities to require specific compliance measures, including technical implementations and documentation requirements.

Data Protection Authority: Independent regulatory bodies responsible for enforcing data protection laws within their jurisdictions, possessing investigative powers, the ability to issue fines, and authority to order compliance measures. Estonia's Data Protection Inspectorate serves this function, conducting investigations and issuing enforcement orders when organizations violate privacy regulations.

CCTV Surveillance: Closed-circuit television systems used for monitoring specific areas, which under GDPR constitute personal data processing when individuals can be identified from footage. Such systems require appropriate legal basis for operation, with controllers needing to demonstrate compliance with data protection principles including purpose limitation and data minimization.

Controller: The natural or legal person who determines the purposes and means of personal data processing under GDPR definitions. Controllers bear primary responsibility for ensuring lawful processing, implementing appropriate technical measures, and demonstrating compliance with all data protection requirements through documentation and procedures.

Accountability Principle: GDPR's foundational requirement under Articles 5(2) and 24(1) mandating that controllers not only comply with data protection principles but also demonstrate such compliance to supervisory authorities. This principle shifts burden from authorities to prove violations toward controllers proving compliance through documentation and evidence.

DORI Standards: Technical specifications for video surveillance systems defining Detection, Observation, Recognition, and Identification capabilities based on pixel resolution requirements. These standards determine whether surveillance systems can identify individuals, directly impacting GDPR applicability and requiring controllers to assess actual system capabilities rather than theoretical limitations.

Enforcement Order: Formal legal instruments issued by supervisory authorities requiring specific actions to achieve data protection compliance within defined timeframes. These orders carry legal force and potential penalties for non-compliance, representing primary tools for authorities to address violations and ensure organizational adherence to privacy requirements.

Technical Specifications: Detailed documentation describing surveillance system capabilities, including resolution, coverage areas, and identification distances that determine whether systems process personal data under GDPR definitions. Courts increasingly rely on such specifications rather than controller assertions when evaluating compliance, requiring organizations to understand actual rather than claimed system capabilities.