CCTV Footage Redaction: Definition
CCTV footage redaction is the technical process of concealing personal data visible in surveillance recordings before they are shared, exported, analysed, or archived for secondary use. In practice, this mainly concerns faces and license plates, because these are the elements that most often make it possible to identify a natural person, either directly or indirectly. In the context of data protection, this is not about cosmetic retouching, but about reducing identifiability in video footage or still frames.
From a GDPR perspective, CCTV footage containing a recognisable image of a person may constitute personal data if that person can be identified. This follows from Article 4(1) of Regulation (EU) 2016/679 and from the case law of the Court of Justice of the European Union, including case C-212/13 Ryneš, where video surveillance was recognised as the processing of personal data. Redacting footage is not a separate exemption from the controller’s obligations; rather, it is a technical measure that supports the principles of data minimisation, purpose limitation, and integrity and confidentiality set out in Article 5 GDPR.
In practice, CCTV video redaction most often means blurring, pixelating, masking, or permanently obscuring selected areas of the frame across all frames in which the object appears. If the purpose of the redaction is to reduce the risk of identification, it must be applied consistently over time, including when the object’s position, scale, angle, or lighting changes.
The Role of CCTV Footage Redaction in GDPR Compliance
CCTV footage redaction becomes particularly important when a controller discloses footage to a third party, processor, insurer, legal representative, or public authority that does not need access to the full scope of the data. In such cases, the information disclosed should be proportionate to the purpose. This is a practical application of the data minimisation principle.
With regard to faces, the need for caution when sharing footage follows not only from the GDPR, but also from rules protecting personality rights and from legal principles governing the publication of a person’s image. As a general rule, a person’s image should be blurred before footage is provided to an entity that does not need to know the identity of everyone visible in the frame. Exceptions are limited and mainly concern public figures in connection with their public role, an image captured as a minor detail of a larger whole, or situations where the person has received agreed remuneration for posing.
With regard to license plates, the legal position in Poland is not entirely uniform. Guidance from data protection authorities and broader European practice tend to treat registration numbers as information that may lead to identification. On the other hand, Polish case law includes the view that a license plate does not always constitute personal data on its own. Controllers should therefore assess the context, the purpose of the disclosure, and the risk of identification, and apply a precautionary approach when sharing footage outside their organisation.
How CCTV Footage Redaction Works Technically
Effective CCTV redaction software combines object detection, frame-to-frame tracking, and the permanent application of a mask to the output material. In modern systems, face detection and license plate detection are usually performed using deep learning models. A neural network is first trained on appropriately labelled datasets and then used for inference, meaning the automatic identification of areas to be blurred in a specific recording.
For CCTV material, the key point is that a detector alone is not enough. Object tracking across frames is also required, because a face or license plate may be partially obscured, rotated, motion-blurred, or visible for only a fraction of a second. A single-frame error may result in personal data being disclosed.
- Detection – locating a face or license plate within a frame.
- Tracking – maintaining the object’s identity across consecutive frames.
- Redaction rendering – applying a mask, blur, pixelation, or blackout.
- Export – saving the output file in a way that does not allow the concealed data to be easily restored.
Gallio PRO automatically blurs faces and license plates in video footage and images. It does not perform real-time anonymisation or live video stream anonymisation. It also does not automatically blur full body silhouettes, logos, tattoos, name badges, documents, or content displayed on monitor screens. These elements can be concealed manually using the built-in editor.
Key Parameters and Metrics for CCTV Footage Redaction
Assessing the quality of CCTV footage redaction should not be limited to stating that the footage has been blurred. Measurable parameters are needed to evaluate the risk of missed detections and the operational usefulness of the process.
Parameter | Meaning | Practical Impact
|
|---|---|---|
Recall | The proportion of faces or license plates actually present that are detected by the system | Low recall increases the risk of data disclosure |
Precision | The proportion of correct detections among all detections | Low precision increases the number of incorrect masks |
Frame coverage | The percentage of frames in which the object was correctly masked | Critical in footage involving motion and changing camera angles |
Processing latency | The time required to analyse and export the footage | Affects request handling and the timeliness of actions |
Manual review rate | The portion of material requiring human verification | Affects costs and workflow organisation |
When assessing risk, it is worth distinguishing between false negatives and false positives. From a compliance perspective, a false negative is more serious, as it means that a face or license plate was not detected. A false positive reduces the practical usefulness of the footage, but usually does not lead to a breach of confidentiality.
Challenges and Limitations of CCTV Footage Redaction
Surveillance footage is often of lower quality than studio-grade material. Compression, poor lighting, reflections, obstructions, and unusual angles are common. These factors directly affect detection quality and the stability of object tracking. For this reason, automatic video redaction should be supported by human review, especially before footage is shared outside the organisation.
It is also important to distinguish anonymisation from pseudonymisation. If data can be restored, or if there is a realistic possibility of re-identification based on the scene context, clothing, time, and place, then this is better described as limiting data exposure rather than full anonymisation. European guidance emphasises that the assessment must take into account all means of identification that are reasonably likely to be used.
Practical Uses of CCTV Footage Redaction
The most common use case is preparing a copy of footage for a person reporting an incident or exercising their rights as a data subject. In such cases, the controller should disclose only the portion of the image that is necessary. If the recording includes bystanders or vehicles unrelated to the matter, their faces and license plates should be blurred.
Another typical scenario is providing footage to a law firm, auditor, insurer, or contractor. In such cases, CCTV footage redaction reduces excessive data disclosure and supports the need-to-know principle. In many organisations, it is a standard part of information security procedures.
Legal References and Sources
The importance of CCTV footage redaction should be assessed on the basis of legal provisions and guidance, not solely technical practice. The key sources are EU legislation, case law, and the positions of supervisory authorities.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – Articles 4, 5, 25, and 32.
- CJEU, C-212/13, František Ryneš v Úřad pro ochranu osobních údajů, judgment of 11 December 2014.
- EDPB, Guidelines 3/2019 on processing of personal data through video devices, version adopted after public consultation on 29 January 2020.
- Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014.
- Guidance issued by the Polish Personal Data Protection Office regarding the disclosure of CCTV footage.
- Polish administrative case law on whether license plates qualify as personal data, noting the existing interpretative divergences.
In practice, the controller should document the legal basis for disclosure, the scope of the redaction, the person who approved the material, and whether the system stores logs containing personal data resulting from face or license plate detection. This approach reduces the risk of secondary data processing during the anonymisation process itself.