A CJEU Holiday Gift: Ending The GDPR Articles 13 Vs 14 Tug Of War For Body Worn Cameras – Privacy Protection

As the festive season draws near, the Court of Justice
of the European Union (CJEU) has added something to the compliance
calendar, a ruling that unwraps long standing uncertainty around
transparency obligations under the General Data Protection
Regulation (GDPR) for body worn cameras.

Background

In its decision in C‑422/24 Storstockholms
Lokaltrafik (SL), the CJEU ruled
that when ticket inspectors record passengers during ticket checks,
the personal data captured is obtained directly from the
individual. This means organisations must comply with Article 13 of
the GDPR and inform individuals at the point of data collection
about who is processing their data, why it is being processed, and
how it will be used. This contrasts with the obligations within
Article 14 of the GDPR, which applies when personal data is
collected indirectly, i.e. from sources other than the
individual themselves, allowing greater flexibility in when and how
that information is provided. The ruling reinforces the GDPR’s
core notice at collection principle, rejecting interpretations that
could delay or dilute transparency where individuals themselves are
the source of the data.

For businesses, this decision offers much needed clarity on the
use of video surveillance technologies and is likely to set an
important precedent across the EU for how such systems should be
operated in compliance with data protection law.

The facts

SL, a public transport company operating in Sweden, equipped its
ticket inspectors with body worn cameras to deter threats and
violence and to verify passenger identity when issuing penalty
fares. The devices captured audio and video recordings in short,
continuous loops, automatically overwriting footage every minute
unless it was saved for enforcement purposes. While intended as a
safety measure, this practice operated in a legal grey area.

In 2021, the Integritetsskyddsmyndigheten (DPA)
audited SL’s practices and concluded that, between December
2018 and June 2021 the use of body cameras breached several GDPR
provisions, most notably the failure to provide data subjects with
adequate information about the processing of their personal data at
the point of collection. As a result, the DPA imposed a significant
fine of approximately €1.42 million, including €355,188
specifically for non-compliance with Article 13 of the GDPR.

SL challenged the decision, arguing that the collection of
personal data was indirect, meaning that Article 13 GDPR
obligations did not apply. The case progressed through the Swedish
courts and reached the Högsta förvaltningsdomstolen
(Swedish Supreme Administrative Court), which referred two key
questions to the CJEU:

Which GDPR provision applies when personal data is collected
via body worn cameras, i.e. does this constitute direct or
indirect collection of personal data?

Can failure to inform data subjects at the time of
collection justify an administrative fine?

The CJEU’s bottom line on transparency

In reaching its decision the CJEU agreed with the DPA’s
position, ruling that Article 13 of the GDPR applies to body worn
camera recordings because the data is collected directly from the
individual, and not from a third-party source. Specifically, the
CJEU noted that “the classification of data collection as
‘direct’ does not require either that the data subject
knowingly provide data or any particular action on his or her part.
Therefore, data obtained from observing the data subject is
considered to have been collected directly from him or
her.”

The CJEU explained that organisations must provide information
immediately at the point of collection and advised using a
“multi-layered approach” that combines methods
of communication such as clear signage and accessible notices that
recordings are taking place. Referring to EDPB Guidelines 3/2019, the CJEU
confirmed that transparency can be achieved through:

First layer: Clear signage or a “warning
sign” stating that a recording is taking place.

Second layer: Along with other mandatory information,
a full privacy notice stating the purpose, types of data collected,
and identity of the controller made available in an
“appropriate and complete manner, in an easily accessible
place” such as via a QR code, website, or printed
material.

The CJEU explained that if Article 14 of the GDPR applied
“the data subject would not receive any information at the
time of collection, even though he or she is the source of those
data, which would allow the controller not to provide information
to that data subject immediately. Therefore, such an interpretation
would carry the risk of the collection of personal data escaping
the knowledge of the data subject and giving rise to hidden
surveillance practices.”

In essence, the CJEU confirmed that real time transparency is
non-negotiable. Organisations using body worn cameras must inform
individuals immediately when data is collected, not later. The CJEU
has closed the door on any attempt to rely on Article 14 of the
GDPR as this would allow organisations to delay or avoid informing
individuals, creating a risk of hidden surveillance, an outcome
incompatible with the GDPR’s objective of ensuring a high level
of protection for individual rights.

What should organisations be doing in light of this
decision?

Organisations who have implemented or considering implementing
body worn cameras are encouraged to:

Review transparency measures to ensure compliance with relevant
GDPR provisions and build these into operational processes and not
simply hidden in a privacy policy.

Update policies and procedures for direct data collection i.e.
embed Article 13 GDPR obligations into operational workflows for
systems collecting data including body worn cameras, CCTV, or
similar technologies.

Assess technical configurations so that features like short
loop recording and override functions are documented and justified
to demonstrate compliance with the GDPR principles of data
minimisation and purpose limitation.

Ensure appropriate employee training to understand when and how
to provide information to an individual and how to respond to
questions about data processing.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.