Face blurring is a visual data anonymization technique that detects human faces in photos or videos and obscures them so individuals cannot be identified. In deep learning workflows, face blurring and license plate blurring reduce the risk that published visuals reveal personal data. However, blurring does not automatically make data “anonymous” under data protection law. Outputs fall outside data protection law only if individuals are no longer identifiable by means reasonably likely to be used, taking account of all the means reasonably likely to be used by the controller or any other person [1][6].
Images and videos are personal data if a person can be identified directly or indirectly [1]. Regulators distinguish between anonymization and pseudonymization. Anonymized visuals are processed so individuals are not identifiable by any means reasonably likely to be used. Pseudonymized visuals can still be linked back to a person with additional information and remain within the scope of data protection law [1][6].
Face blurring can contribute to anonymization by reducing facial identifiers, but effective implementations also consider other identifiers, such as unique tattoos, distinctive clothing, voice (in video), location context, and license plates. If any identifier remains and enables identification, the output may still be personal data [1][6][8].
Topic | EU GDPR | UK GDPR
|
|---|---|---|
Are images personal data | Yes, if a person is identifiable [1] | Yes, if a person is identifiable [2][3] |
Anonymized outputs | Outside GDPR only if irreversibly anonymized (i.e., individuals are not identifiable by means reasonably likely to be used) [1][6] | Outside UK GDPR only if irreversibly anonymized (i.e., individuals are not identifiable by means reasonably likely to be used) [2][6] |
Lawful basis to publish identifiable visuals | Depends on context; commonly consent or legitimate interests, with a documented balancing test where legitimate interests is used [1][4][7] | Depends on context; commonly consent or legitimate interests, with a documented balancing test where legitimate interests is used [2][4] |
Children’s images | Higher risk; stronger justification and safeguards often expected (child-specific transparency and fairness considerations) [1] | Higher risk; ICO expects particular care and safeguards for children’s data [4] |
Video surveillance guidance | EDPB guidelines on video devices [8] | ICO guidance on CCTV and video surveillance [5] |
Cross-border transfers | Apply transfer rules if data are personal data; genuinely anonymized data are outside GDPR [1] | Apply UK transfer rules if data are personal data; genuinely anonymized data are outside UK GDPR [2] |
Note: these are not “automatic exemptions” under GDPR/UK GDPR. Whether consent is required depends on the lawful basis and applicable local laws (including image/portrait rights), reasonable expectations, and fairness/transparency obligations [1][4].
Re-identification risk - Even with faces blurred, people may be identified from unique clothing, gait, accessories, body tattoos, voice, or from background identifiers such as storefronts, apartment numbers, or distinctive locations. License plate blurring often accompanies face blurring in street scenes.
Metadata exposure - EXIF and XMP metadata can contain timestamps, GPS coordinates, device identifiers, or author notes. Removing metadata before publication is a common risk-reduction measure.
Detection errors - False negatives leave some faces or plates unblurred. False positives may blur logos or objects and harm usability. Detection performance depends on lighting, occlusions, camera angles, headwear, masks, and motion blur. Night scenes and wide-angle/fisheye cameras are notably challenging [8].
Compression and editing artifacts - Re-encoding and resizing can weaken some masking approaches. Robust techniques use sufficiently strong pixelation or blur (or full masking/solid boxes) for high-risk content. The objective is practical irreversibility in the context of “means reasonably likely to be used” [1][6].
Cloud transfer risk - Uploading raw footage to external services creates additional data flows and may introduce transfer/vendor risk. On-premise software can limit external transfers and support internal security controls.
State-of-the-art pipelines combine detectors for faces and plates with tracking to maintain masking across frames. For higher-risk scenes, person detectors or segmentation can obscure full bodies. Accuracy and throughput are context-dependent and should be validated on representative datasets.
On-premise software allows processing within controlled infrastructure, supports offline operation, and can simplify retention policies. To explore enterprise-grade on-premise tooling, Check out Gallio PRO.
To assess this workflow with enterprise data, Download a demo.
Define metrics by use case: detection recall on faces and plates, residual identification risk in audited samples, and processing time per minute of video. Report results by scenario type - indoor, outdoor, night - rather than a single aggregate. Any headline accuracy or cost claims are context-dependent unless backed by formal and public benchmarks. Organisations may run internal “re-identification attempts” (sometimes framed as red-teaming) to identify remaining identifiers in blurred outputs and document findings as corrective inputs to the pipeline [6][8].
Teams seeking a hardened, on-premise solution can Contact us to discuss deployment and review logs, RBAC, and offline modes.
When procuring on-premise software for visual data anonymization, buyers typically require: batch processing for large libraries, configurable blur strength and masks, support for face blurring and license plate blurring, video tracking, metadata stripping, audit logs, and hardware acceleration. Alignment with internal security policies and the ability to operate fully offline are common requirements in public sector and regulated industries.
Not always. If other identifiers remain (for example, unique clothing, tattoos, voice, distinctive locations, or license plates), individuals may still be identifiable. Pair face blurring with license plate blurring where relevant and consider additional masking for high-risk scenes [1][6][8].
It depends on context and the chosen lawful basis. Many organisations rely on consent or legitimate interests for identifiable footage, but other lawful bases may apply depending on circumstances. If outputs are genuinely anonymized (individuals not identifiable by means reasonably likely to be used), publication of those outputs may fall outside GDPR/UK GDPR; however, recording / processing the original footage is still processing of personal data and must have a lawful basis and meet transparency/fairness requirements [1][4][6].
It does not change the law, but it can reduce third-party disclosures/transfers and can simplify security and retention controls. Legal obligations still apply to any processing of personal data [1][2][4].
Remove EXIF and XMP before publishing where feasible, because metadata can increase identifiability risk (for example, GPS location and timestamps). This is a common risk-reduction measure in practice.
There is no single regulator-defined kernel size. A practical approach is to test against re-identification considering “means reasonably likely to be used,” including common enhancement steps (resizing, re-encoding, sharpening) and contextual cues. If individuals are not identifiable in context, the setting is closer to anonymization [1][6].
They can be personal data if a person is identifiable directly or indirectly from the plate (for example, via access to registration data or other reasonably likely means). In many real-world contexts, blurring plates is a sensible safeguard in street-level footage [1][5].
There are no blanket GDPR/UK GDPR exemptions that automatically remove the need for a lawful basis. In practice, requirements depend on context: whether the person is a public figure acting in a public role, whether the person is incidental in a wider scene, and whether a valid contract/model release covers intended uses. Separate local portrait / image rights may also apply [1][4].
