Smart City Video Privacy – Definition
Smart city video privacy refers to the design, deployment, and oversight of urban surveillance systems in a way that keeps camera footage processing compliant with data protection law and the principle of minimizing interference with individuals’ rights. In practice, this means a city can use recordings and images for purposes such as public safety, traffic management, incident analysis, or documentation of events, without excessively capturing and disclosing identifiable features of people and vehicles.
In the context of photo and video anonymization, the term primarily means applying technical and organizational measures that limit the identification of individuals in visual material. In particular, this includes blurring faces and license plates before any further sharing, analysis, publication, or transfer beyond a narrow group of authorized recipients. The main legal basis here is the GDPR, namely Regulation (EU) 2016/679, applicable since 25 May 2018, and for projects using AI systems, the EU Artificial Intelligence Act, or AI Act – Regulation (EU) 2024/1689, published on 12 July 2024 and becoming applicable in stages from 2025.
For local governments, a key issue is that surveillance footage may contain personal data if it makes it possible to identify a person directly or indirectly. This is confirmed by CJEU case law, including Case C-212/13 Ryneš, as well as the established practice of EU data protection authorities. For this reason, smart city surveillance is not merely an infrastructure issue. It is also a data processing activity that requires a legal basis, risk assessment, retention policies, and video anonymization mechanisms.
Legal Framework for Urban Surveillance and Video Anonymization
In smart city projects, simply stating a public-interest purpose is not enough. The controller must demonstrate that the entire lifecycle of the recording complies with the principles of lawfulness, purpose limitation, data minimization, integrity, and confidentiality. In urban surveillance, this means clearly separating the recording stage from any secondary use of the footage.
The key laws and guidance include:
- GDPR – Regulation (EU) 2016/679, especially Articles 5, 6, 25, 32, and 35.
- EDPB Guidelines 3/2019 on processing personal data through video devices, adopted in final version on 29 January 2020.
- AI Act – Regulation (EU) 2024/1689. In smart city systems, particular importance attaches to rules for high-risk systems and restrictions on remote biometric identification.
- National laws governing surveillance by public bodies and access to public information.
- In Poland, guidance issued by the UODO, and in the case of publication, also the Civil Code and the Copyright and Related Rights Act with regard to image rights.
In legal practice, there are also important differences of interpretation regarding license plates. In Europe, blurring license plates is often treated as a standard compliance and legal-risk precaution. In Poland, the situation is less uniform. Guidance from the UODO, the EDPB, and part of the reasoning based on CJEU case law support a cautious approach, while administrative court rulings have indicated that a license plate alone does not always constitute personal data. For a public authority, this means the context and risk must be assessed rather than relying on a single interpretation.
How Smart Cities Use Photo and Video Anonymization
In urban systems, anonymization does not usually mean deleting the entire recording, but rather reducing the identifiability of specific elements in the image. Most often, this concerns the faces of bystanders and vehicle license plates. This is particularly important when footage is shared with organizational units, used in promotional materials for public investments, provided to the media, or used in datasets for testing and training.
From a technical perspective, the process usually includes:
- object detection in video frames,
- tracking detected objects across frames,
- applying an anonymization mask, such as blur or pixelation,
- quality assurance to ensure no frames remain unblurred.
Machine learning models, most commonly based on deep learning, are used for automatic face detection and license plate detection. A neural network is first trained on datasets containing labeled examples of faces or license plates. Only then can the trained model be used for automatic blurring in photos and video recordings. Without the training stage, the model cannot reliably detect objects under changing urban conditions such as rain, movement, nighttime scenes, or partially covered faces.
In the case of Gallio PRO, the functional scope should be clearly distinguished. The software automatically blurs faces and license plates. It does not blur entire body silhouettes. It does not perform real-time anonymization or live video stream anonymization. It does not automatically detect logos, tattoos, name badges, documents, or content displayed on monitors. Such elements can be blurred manually in the editor.
Key Parameters and Metrics for Video Privacy
Any assessment of an anonymization system in a smart city environment should be based on measurable parameters. Statements of compliance alone are not enough. For the DPO and the IT team, both detection performance and the risk of disclosure after anonymization are critical.
Parameter | Meaning | Practical importance
|
|---|---|---|
Recall | The percentage of actual faces or license plates correctly detected | Low recall increases the risk of leaving personal data visible |
Precision | The percentage of correct detections among all detections | Low precision increases the number of incorrect masks |
IoU | Intersection over Union for the detection bounding box | Determines whether the mask actually covers the full face or license plate area |
Frame coverage | The percentage of frames where the mask is correctly maintained | Especially important when the camera moves or the object moves quickly |
Processing latency | The time required to process the material | Affects public-sector workflow efficiency and, in offline systems, determines how quickly footage can be prepared for disclosure |
Recording retention | The storage period for the source material | Must be justified by the purpose and the controller’s policy |
For risk assessment, a simple operational model can be used:
Disclosure risk = probability of non-detection × impact of identification
If the footage is intended for broader disclosure, the required level of anonymization effectiveness should be higher than for internal, tightly controlled circulation.
Use Case for Local Government – Publishing and Disclosing Recordings
A typical use case involves municipal surveillance of intersections, bus stops, and public squares. The city wants to use the footage for traffic analysis, investment documentation, or to respond to a public information request. However, the material contains the faces of pedestrians and license plate numbers.
A secure process will usually include the following steps:
- defining the purpose of the secondary use of the footage,
- verifying the legal basis and whether a DPIA is required under Article 35 GDPR,
- selecting only the portion of the recording necessary for the purpose,
- automatically blurring faces and license plates,
- manually reviewing the material for remaining identifiers,
- sharing the processed copy instead of the source file,
- applying a retention policy and access controls.
This approach supports the privacy by design principle under Article 25 GDPR. It also reduces the number of operations performed on the source material by unauthorized persons. In an on-premise environment, an additional benefit is that there is no need to transfer recordings to external cloud services, which simplifies the analysis of data flows and transfers.
Challenges and Limitations in Smart City Projects
Even a properly designed system does not eliminate all risks. The most common issues are technical and organizational in nature. They relate to image quality, camera angle, lighting, compression, and errors in the secondary use of footage.
The key limitations include:
- reduced detection effectiveness at low resolution and high compression,
- partial obstruction of a face or license plate,
- the risk of indirect identification despite blurring, for example through location and time context,
- the need to distinguish evidentiary material from footage intended for publication,
- the non-uniform approach to the legal classification of license plates in Poland.
When it comes to a person’s image, it should be remembered that the obligation to anonymize may arise not only from the GDPR, but also from the protection of personal rights and the rules governing the dissemination of a person’s likeness. Exceptions include a well-known person where the image was captured in connection with the performance of their public functions, an image forming only a detail of a whole such as a gathering, landscape, or public event, and a situation where the person received agreed remuneration for posing. Each of these cases, however, requires an assessment of the specific facts.