Multi-Camera Anonymization: Definition
Multi-camera anonymization is the anonymization of video footage or images from multiple cameras within a single organizational and technical process. In practice, this means detecting and blurring faces and license plates across multiple files or streams recorded by different CCTV devices, while maintaining consistent processing rules, quality control, and operational accountability. In the context of data protection, this is not limited to live transmission; it often involves processing footage that has already been recorded. This is an important distinction, because Gallio PRO does not perform real-time anonymization or live video stream anonymization.
From a technical perspective, this falls within the area of batch image and video processing. The system analyzes footage from multiple cameras, identifies areas containing personal data in the form of facial images or vehicle registration numbers, and then applies a mask or blur. Automatic detection relies on machine learning models, usually based on deep learning. Deep learning is used both when building the AI model and later when performing object detection on video frames or images. Anonymization itself therefore does not involve “intelligent” data removal, but rather the use of a model that detects areas requiring concealment and permanently transforms the output image.
From a legal and organizational standpoint, multi-camera anonymization is a form of personal data processing subject to GDPR requirements, in particular the principles of purpose limitation, data minimization, integrity and confidentiality, and accountability described in Article 5 of Regulation (EU) 2016/679, as well as the security of processing requirements under Article 32. In the case of video surveillance, the guidelines of the European Data Protection Board are also relevant, including Guidelines 3/2019 on processing of personal data through video devices, adopted in their final version on 29 January 2020.
The Role of Multi-Camera Anonymization in Large CCTV Systems
In large CCTV systems, the challenge is not just detecting a face or a license plate in a single frame. The real difficulty lies in the scale. One incident may be captured by a dozen or even several dozen cameras, each with different image parameters, perspectives, compression settings, and lighting conditions. Video anonymization must then work consistently across the entire set of recordings.
In practice, this requires combining technical and organizational requirements:
- a uniform anonymization policy for all cameras covered by the process,
- identification of footage sources and their technical parameters,
- establishing a processing queue and priorities for large data volumes,
- post-processing quality control, including manual review of edge cases,
- secure access control for source and output materials.
In environments such as transport, logistics, manufacturing, retail, and public administration, footage from multiple cameras is often shared with third parties, for example law firms, insurers, public authorities, or individuals exercising their rights under Article 15 GDPR. In such a model, the absence of anonymization, or insufficient anonymization, increases the risk of violating the privacy of bystanders.
Technologies Used in Multi-Camera Anonymization
The effectiveness of multi-camera anonymization depends on detection quality and processing stability. Most commonly, object detection models trained on large image datasets are used. For faces and license plates, typical solutions include CNN architectures as well as newer one-stage and two-stage detection models. Their task is to indicate a detection bounding box on each frame or on selected reference frames.
In a production environment, the pipeline typically includes the following components:
- video decoding and frame extraction,
- face detection and license plate detection,
- object tracking between frames to reduce mask flicker,
- applying a mask or blur,
- encoding the output material,
- manual verification of uncertain cases.
With multiple cameras, the heterogeneity of input data becomes especially important. A 2 MP camera at 15 fps will produce different results than a 4K camera at 25 fps using the H.265 codec and strong compression. For this reason, model parameters and confidence thresholds cannot always be identical across an entire CCTV installation.
Gallio PRO automatically blurs faces and license plates. It does not automatically detect company logos, tattoos, name badges, documents, or screen content displayed on monitors. These elements can be blurred manually in the editor. This has practical importance during audits and when defining the scope of the anonymization process.
Key Parameters and Metrics for Multi-Camera Anonymization
Process evaluation should not rely on general claims. Measurable parameters are needed. In image anonymization systems, the most important metrics are detection quality metrics and processing performance metrics.
Parameter | Meaning | Practical significance
|
|---|---|---|
Recall | The percentage of correctly detected objects out of all existing objects | The higher it is, the lower the risk of leaving an unblurred face or license plate |
Precision | The percentage of correct detections out of all detections | The higher it is, the fewer incorrect masks on the background or other objects |
IoU | Intersection over Union for the detection bounding box | Helps assess whether the mask covers the correct area |
File processing latency | The time from the start of processing to the generation of the output file | Affects request turnaround times and operational workflows |
Throughput | The number of minutes or hours of footage processed per hour | A key metric for large CCTV systems |
Manual review rate | The percentage of material requiring manual correction | Shows the actual operational cost of the process |
In image detection tasks, the average precision metric calculated for IoU thresholds is widely used. For example, the COCO benchmark uses AP across an IoU range from 0.50 to 0.95, as described by Lin et al. in 2014. These types of metrics are useful for model testing, but for a data protection officer, high process sensitivity may be even more important, because a single undetected face can have significant legal consequences.
In practice, a simple operational indicator can be used:
Anonymization effectiveness = 1 - (number of undetected objects / total number of objects requiring blurring)
This is a supporting metric for internal audits, provided that the calculation method is documented and repeatable.
Organizational Requirements for Anonymizing Footage from Multiple Cameras Simultaneously
In multi-camera environments, technology alone is not enough. A process is needed that reduces the risk of errors and makes it possible to demonstrate compliance. This is especially important where footage leaves the organization or is shared with a larger number of recipients.
This usually includes the following requirements:
- a register of recording sources, file formats, and system owners,
- role-based access permissions,
- separation of source material from anonymized material,
- a quality control and output approval procedure,
- rules for handling exceptions, for example very low-quality footage,
- defined retention periods and secure deletion of working copies.
If the software runs on-premises, it is easier to meet requirements related to control of the processing environment and data transfer. This model is often preferred where CCTV footage should not leave the controller’s infrastructure. From a security perspective, the practices described in ISO/IEC 27001:2022 for information security management systems and ISO/IEC 27002:2022 for security controls are also relevant.
Limitations and Risks of Multi-Camera Anonymization
Multi-camera anonymization does not provide an absolute guarantee. The quality of the result depends on the quality of the recording, the object’s position, occlusions, compression, motion, and lighting. In particular, partially turned faces, faces that are small within the frame, or faces obscured by scene elements may require manual correction. The same applies to license plates photographed at a sharp angle or while in motion.
It is also important to distinguish anonymization from pseudonymization. If the material still allows a person to be identified through other features of the scene, blurring the face alone does not always eliminate the risk of identification. For this reason, the scope of shared material should be assessed in context. In relation to video surveillance, the EDPB indicates that the controller should apply measures appropriate to the purpose and to the risk to the rights and freedoms of natural persons.
Legal and Standards References for Multi-Camera Anonymization
The assessment of the process is based on legal acts and guidelines concerning the processing of visual data. In the case of faces, their status as personal data is generally undisputed if the person can be identified. A likeness may also be protected under civil law and copyright law. In the case of license plates, the situation in Poland is not entirely uniform and depends on the context of identifiability and the purpose of processing.
The main reference points are:
- GDPR – Regulation (EU) 2016/679, in particular Articles 5, 25, and 32,
- EDPB – Guidelines 3/2019 on processing of personal data through video devices, final version of 29 January 2020,
- ISO/IEC 27001:2022 and ISO/IEC 27002:2022 – information security,
- ISO/IEC 23894:2023 – guidance on risk management for AI, useful for assessing AI model risks,
- NIST AI RMF 1.0 – an AI risk management framework useful for validating and overseeing detection models.
In practice, the controller should document which categories of objects are blurred automatically, which cases are routed to manual review, and what the technical limitations of the process are. Such documentation is important from the accountability perspective.