CCTV and Privacy Rights


Security cameras have become the very symbol of security in the modern age, lining up the streets of developing and developed countries, solving numerous crimes and petty thefts in many places around the world. Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. Since its early inception, video surveillance has been met with strong opposition from those who consider their presence in many places as a form of disrespecting the privacy of any individual with certain groups decrying its potential to change the experience of being in the public, exposing the people to possible misuse and abuse of data (ACLU, 2019).

A Right to Privacy was first described and interpreted by American Attorneys Samuel Warren and Louis Brandeis in a law review article (4 Harvard L.R. 193 (Dec. 15, 1890)). They examined aspects of the then existing laws and proposed that there was a more general “right to be let alone.” The authors tried to delineate the boundaries of such a right and concluded that the laws afforded “a principle which may be invoked to protect the privacy of the individual from invasion.”

Despite its potential positive purpose, the installation of fixed CCTV cameras is a highly controversial topic in most parts of the world in recent years. The advent of more sophisticated ways to monitor populations without the presence of visible cameras adds another dimension to how the technology is used. This paper would delve into the legal implications on privacy issues of maintaining video surveillance systems in some jurisdictions.


International human rights law provides the universal framework against which any interference in individual privacy rights must be assessed. Article 12 of the Universal Declaration of Human Rights provides that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The International Covenant on Civil and Political Rights provides in Article 17 that “no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation”. It further states that “everyone has the right to the protection of the law against such interference or attacks.” As a consortium of countries from around the world, the United Nations (UN) has tried to help its member countries further this research on privacy and device an agreement which could guide the nations on how they should treat privacy and surveillance. While recognizing when conducted in compliance with the law, including international human rights law, surveillance of electronic communications data can be a necessary and effective measure for legitimate law enforcement or intelligence purposes, the 2014 report by the Office of the United Nations High Commissioner for Human Rights to the UN General Assembly vehemently condemned the use of mass electronic surveillance which it defined as including not only the physical information of the population but also access to personal information and internet activity which has been explained as clear violation of the core privacy rights of the system (United Nations, 2019). Surveillance measures must not arbitrarily or unlawfully interfere with an individual’s privacy. Interference with an individual’s right to privacy is only permissible under international human rights law if it is neither arbitrary nor unlawful. In its general comment No. 16, the Human Rights Committee explained that the term “unlawful” implied that no interference could take place “except in cases envisaged by the law. Interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant.”  In other words, interference that is permissible under national law may nonetheless be “unlawful” if that national law is in conflict with the provisions of the International Covenant on Civil and Political Rights. The expression “arbitrary interference” can also extend to interference provided for under the law. The Committee had interpreted the concept of reasonableness to indicate that “any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case”. There are mentioned overarching principles of legality, necessity and proportionality. Any limitation to privacy rights reflected in Article 17 must be provided for by law, must be necessary for reaching a legitimate aim, as well as in proportion to the aim and the least intrusive option available. The onus is on the authorities seeking to limit the right to show that the limitation is connected to a legitimate aim. Mass or “bulk” surveillance programmes may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.


Every country in the world has its own set of rules and regulations applicable to the use of video surveillance systems. It has been established that among the different kinds of rights that could be disrespected in the presence of these security systems, privacy remains at the top as its existence is ensured by the International Declaration of Human Rights. The United States of America has been a member of the UN ever since it was formed in 1945 and until now remains an important figure in the international scene. However, it would be interesting to note that in the country's constitution, the term “privacy” was never explicitly used.

But this does not mean that privacy as a concept is not respected in the country. The Fourth Amendment to the United States Constitution provides the following: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." It prohibits unreasonable searches and seizures and it sets out requirements for issuing warrants. This declares that the United States Constitution protects people from any kind of intrusion that might surpass their security as a person.

In Katz v. United States (389 U.S. 347 (1967)), Charles Katz used a public payphone booth to transmit illegal gambling wagers. The Federal Bureau of Investigation was recording his conversations via an electronic eavesdropping device attached to the exterior of the phone booth. Katz was convicted based on these recordings. Katz appealed. Justice Stewart ruled that "[t]he Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied while using the telephone booth and thus constituted a 'search and seizure' within the meaning of the Fourth Amendment." Without a warrant in the first place, and following the fruit of the poisonous tree doctrine, the Supreme Court determined in favour of Katz. This case extended the Fourth Amendment right to privacy to cover the search of intangible property (as opposed to physical intrusion onto tangible property only), and would presumably apply to the recording of CCTV footage. Katz is also the authority for the right of privacy protection to cover such scope where there is a “reasonable expectation of privacy.”

People in the country have been clamouring on how the use of CCTV cameras would fare with the Fourth Amendment specifically when law enforcement use them as a tool to deter criminality in various places around America. According to James Falk Sr., Chairman of the U.S. Department of Justice’s National Institute of Justice Liability Panel, cameras in public places are legal; there is no expectation of privacy in public places (Nichols, 2001). A survey conducted by the International Associate of Chiefs of Police showed that 95% of decision-makers in placing CCTV cameras acknowledge and believe that placing them in public areas would not warrant any cause for alarm as no privacy rights are being harmed. Furthermore, the respondents are expectant that establishing the points where CCTV cameras are located does more to help in avoiding any more harm thus resulting in the overall protection of the people. With due respect, to say that placing CCTV cameras in public areas raises no privacy issues because those areas are public must be wrong. The Katz test was arranged into a two-prong test for assessing the reasonableness of an expectation of privacy: If (1) the individual "has exhibited an actual (subjective) expectation of privacy", and (2) society is prepared to recognize that this expectation is (objectively) reasonable, then there is a right of privacy in the given circumstance. Supposedly no swimmer enjoying a tan under the sun at Repulse Bay Beach would expect her swimsuit footage be deviously recorded, focused, enlarged, and exposed on YouTube for all to see and comment. She expects and has a right to privacy to protect even she was in a public place. Views of law enforcement agencies should sometimes be looked at with particular caution.

In 1974, the United States passed the Privacy Act. The Act establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records, but is only applicable to federal agencies. The Act was based on eight practices previously adopted as guidelines known as the Fair Information Practice Principles (FIPPs), and the Homeland Security Department (DHS) used the FIPPs in constructing its guidelines on CCTV. The DHS defined Personally Identifiable Information as “Any information that permits the identity of an individual to be directly or indirectly inferred, including any other information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.” The guidelines address the following principles: purpose specification, transparency, individual participation, data minimization, use limitation, data quality and integrity, security, and accountability and auditing (Hartmus, 2014).

Under the “Purpose Specification Principle” the DHS best practices guide encourages studies to determine the effectiveness of CCTV, by means of cost-benefit analysis, before selecting CCTV over other tools to fight crime or improve security. The “transparency principle” encourages community involvement in the decision-making process to adopt CCTV including the use of town meetings, administrative notice, comment processes, voter referendum, or promulgation of written policies. The “Individual Participation Principle” promotes appropriate signage, limited retention of data, and allowing individuals to inspect, at any reasonable time, an agency’s camera monitoring operations centre. It also recommends allowing individuals whose images may be captured on CCTV to access that image (something which is required under the United Kingdom’s DPA (see below), but not under any laws of the United States). The “Data Minimization Principle” is focused on minimizing the data collected to that likely to help accomplish the mission and the data retained to that necessary to accomplish the mission.  The “Use Minimization Principle” counsels agencies to limit data sharing, using CCTV solely for the purpose(s) specified in the notice given to the public. The “Data Quality and Integrity Principle” ensures that the images captured are safeguarded and easy to authenticate. The “Security Principle” encourages appropriate security measures against loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.  The final principle discusses accountability and auditing and recommends the use of control logs, including automated operator logon. Periodic audits to ensure adherence to policies preferably should be conducted by professional boards or outside government agencies. Also stressed is the need for the provision of sanctions for misuse and abuse of the CCTV systems.

The Fourth Amendment, privacy legislations, and their judicial interpretation shed light on the protection of rights of privacy in principle, but the issues would only be determined when, and if at all, they eventually come before the courts. The police and other law enforcement agencies could still be at large when generally making use of CCTV footage. There were reports of a top-ranking police official in Washington, DC using police databases to gather information on patrons of a gay club, a database available to Michigan law enforcement being used by officers to help their friends or themselves stalk women, and many more incidents of camera systems being operated to voyeuristically spy on women (ACLU, 2019). The American Civil Liberties Union commented that there are still currently no general, legally enforceable rules to limit privacy invasions and protect against abuse of CCTV systems. Rules are needed to establish a clear public understanding of such issues as whether video signals are recorded, under what conditions, and how long are they retained; what the criteria are for access to archived video by other government agencies, or by the public; how the rules would be verified and enforced; and what punishments would apply to violators.

The National Institute for Justice also found similar disadvantages with the monitoring devices (Hernon, 2003). Their report gathered views of privacy advocates citing research showing that some camera operators focus on individuals based on their own prejudices. In addition, some privacy advocates note that unscrupulous camera operators have circulated clips from surveillance cameras and even used the cameras to fulfil their own voyeuristic tendencies. The report went on to suggest that training programs, clear policies and procedures, personnel background checks, and strict supervision of camera operators can help to mitigate these abuses.


The United Kingdom has seen some hard-hitting policies on data privacy and privacy as a whole due in part to its membership with the European Union. Even though the country is at the brink of leaving the union, the policies enacted while they were still members will continue to be promulgated in the country in the years to come.

As of this writing, the United Kingdom is yet to implement Brexit. In 1998, the UK introduced the Data Protection Act dedicated to “…the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.” The DPA of 1998 brings UK law into line with the European Directive of 1995 that requires the Member States to protect people’s fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. This previously relevant DPA of 1998 defined eight “Data Protection Principles” corresponding to which the Hong Kong legislation bears much resemblance.

In the case of Peck v. the United Kingdom ([2003] ECHR 44), the applicant complained about the disclosure by a local Council to the media of CCTV footage, which resulted in images of him being published and broadcast widely. The judicial authorities in the United Kingdom did not consider that the disclosure of the CCTV material a breach of the applicant's right to privacy under Article 8 of the European Convention. The European Court of Human Rights, however, was of the opinion that the disclosure of the images to the media resulted in a breach of Article 8 of the Convention. The Court emphasized that the applicant was in a public street but that he was not there for the purposes of participating in any public event, nor was he a public figure. The image of the applicant was shown in the media, including the audio-visual media, which were commonly acknowledged as having "often a much more immediate and powerful effect than the print media.” As a result, the Court considered that the unforeseen disclosure by the Council operating the CCTV system of the relevant footage constituted a serious interference with the applicant's right to respect for his private life.

The 1998 DPA was replaced by the General Data Protection Regulation of 2016 as supplemented by a new DPA of 2018. The General Data Protection Regulation is a regulation in European Union law on data protection and privacy for all individual citizens of the EU. Under Article 6, processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In an overview, under the DPA 2018, most processing of personal data is subject to the GDPR and it makes provisions for the Information Commissioner. The Commissioner's mission is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” The Information Commissioner’s Office was once under the spotlight for issuing the maximum fine under the Data Protection Act 1998 of £500,000 to Facebook for breaches of data protection law.

Article 35 of the GDPR mandates the requirement of a Data Protection Impact Assessment: “Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” A DPIA should contain:

  1. A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  2. An assessment of the necessity and proportionality of the processing operations in relation to the purposes
  3. An assessment of the risks to the rights and freedoms of data subjects
  4. The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned

Like much current legislation aimed at privacy, the DPA is focused on protecting electronic data. While CCTV images do fall under this general category, the DPA was not written specifically for CCTV, however, the DPA governs information about individuals that is held by organizations, and thus imposes legal obligations on CCTV operators. DPIA is required when a CCTV is deployed for tracking people’s location or behaviour or systematically monitoring a publicly accessible place on a large scale.

The office of the Surveillance Camera Commissioner was created under the Protection of Freedoms Act 2012 to further regulate the use of CCTV in the United Kingdom. The Act required a Code of Practice to be produced on the use of surveillance camera systems with which the Commissioner has a role to encourage compliance. The Code sets out 12 guiding Principles under which a surveillance camera system must:

  1. always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need
  2. take into account its effect on individuals and their privacy
  3. have as much transparency as possible, including a published contact point for access to information and complaints
  4. have clear responsibility and accountability for all surveillance activities including images and information collected, held and used
  5. have clear rules, policies and procedures in place and these must be communicated to all who need to comply with them
  6. have no more images and information stored than that which is strictly required
  7. restrict access to retained images and information with clear rules on who can gain access
  8. consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards
  9. be subject to appropriate security measures to safeguard against unauthorized access and use
  10. have effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with
  11. be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value, when used in pursuit of a legitimate aim
  12. be accurate and kept up to date when any information is used to support a surveillance camera system which compares against a reference database for matching purposes.

Hoofnagle et al (2019) commented that this set of privacy laws is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a complex and protective regulatory regime. That said, the ideas contained within the GDPR are not entirely European, nor new. The GDPR’s protections can be found – albeit in weaker, less prescriptive forms – in U.S. privacy laws and in Federal Trade Commission settlements with companies.


The use of CCTV as a surveillance method has been much discussed and criticized by the local media and the public. Whilst the Personal Data (Privacy) Ordinance (Cap. 486) is the primary legislation governing the collection of personal data in Hong Kong, laborious recommendations are issued by the Privacy Commissioner for Personal Data based on the Data Protection Principles of the Ordinance. The applicable principles include Principles 1 to 5. The explanatory commentaries can be readily retrieved from the publications and website of the office of the Commissioner and need not be repeated here. However, the recommendations and codes of practice are only what they are, including even a seemingly obligatory statement that data users should carry out a privacy impact assessment before using CCTV – they have no legal force of their own. The Data Protection Principles resemble those Data Protection Principles under the Data Protection Act of 1998 of the United Kingdom which have been overridden by the General Data Protection Regulation. No provision of the Data Protection Ordinance is yet specifically written on the use of CCTV as a surveillance tool.


It has been said that the establishment of monitoring systems all around the world reflects how liberal governmentality has evolved throughout the years wherein possibilities of melding authoritarian practices and liberalism are considered to be necessary for some instances. Although the human rights declaration, often mirrored by local human rights laws in the different governments across the globe, would declare that privacy as a human right should be absolute, there is an untold necessity to sometimes it could be limited when the interest of the population at large is being considered (Lippert & Walby, 2013). The existence of these cameras may denote limited freedom, but they could be the very symbols of the state that ensures safety for its people.

The issue of privacy is understandably the cause for clamour for different parties either within the government or from private individuals. Man is not inerrant and therefore whoever will be assigned to govern the regulation of CCTV cameras could be susceptible to do wrong things if they are left with no regulatory body. That is why the model presented by the United Kingdom in the establishment of its statutory offices of commissioners would be a better form of regulation and is expected to lessen cases of corruption or misuse of data.

It was noted that different jurisdictions set themselves apart from others in their implementation of surveillance regulations. For example, in the European Union and, consequently, the United Kingdom, the private sector's use of the data that they collect in various forms are directly supervised by the government while in the United States, the regulation of the private sector remains to be minimal (Levin & Nicholson, 2005). If privacy is considered to be akin to liberty in the United States, in the United Kingdom it is viewed as something that would protect their dignity, a far cry from the liberatory view. However, it is imperative to understand that the importance of privacy in both territories remains to be substantial in providing their constituents and citizens with laws and regulations that ensure that their interests will be utmost respected.

The early 2000s have seen a rise in researches concerning surveillance systems as, during this era, it became apparent that additional measures to counter terrorist attacks were necessary. Since the beginning, the growth of CCTV installations has brought numerous issues of surveillance and society, with the researches often at the task of defining if the pros that could be deduced from considering the use of these cameras would be enough for it to continue (Norris, McCahill & Wood, 2002). Nonetheless, the proliferation of CCTV cameras in certain countries in the current decade is a warning sign that some people and governments have oversighted the disadvantages and focused on the positive gains that CCTV systems could give.

Recent developments in technology have allowed for more sophisticated machines that could provide higher technology solutions in surveillance methods. These so-called smart CCTVs could provide a clearer view of the people it captures and could automatically search for world records about a certain person, much like an automated Big Brother that monitors all citizens at a blink of an eye (Held, Krumm, Markel & Schenke, 2012). Urban planners acknowledge the possibility of these systems to create social-psychological repercussions but are still hopeful on what it may imply in the future generations wherein a safer society could be established through the improvement and better control and regulation of these technologies.


In summary, this paper attempted to discuss the various intricacies of the CCTV systems and their implications and specialized conditions in the different jurisdictions where they are established. For the majority of the 20th century, the various advancements in technology were not directly translated into the maintenance of security just like how surveillance cameras have become. However, at the turn of the 21st century, more and more people were able to get hold of the technology that allows for the continuous recording and surveillance of society. The rise of terrorist groups has also provided a desire for governments to enforce regulatory policies to protect people through these potentially valuable pieces of technology.

The issue of privacy would perhaps remain controversial in the decades to come. Today, surveillance tools may not be limited to installed cameras but could now be worn by anyone anywhere. Perhaps this would raise another dimension of privacy in the future. However, much appreciated are the efforts done by the governments and international institutions in providing a better set of ideas to present in case surveillance measures would expressly violate this basic human right that people around the world expect to possess and to be protected for.

Like any intrusive technology, the benefits of deploying public video cameras must be balanced against the costs and dangers (ACLU, 2019). It is imperative for us, the citizens, to realize and appreciate that there is such a right of privacy in the first place in order to protect it.


ACLU (2019). What's Wrong With Public Video Surveillance? Retrieved from

Hartmus, D. (2014). Government Guidelines for CCTV: A Comparison of Four Countries. International Journal Of Public Administration, 37(6), 329-338. doi: 10.1080/01900692.2013.837069

Held, C., Krumm, J., Markel, P., & Schenke, R. (2012). Intelligent Video Surveillance. Computer, 45(3), 83-84. doi: 10.1109/mc.2012.97

Hernon, J. (2003). CCTV: Constant Cameras Track Violators. NIJ Journal, (249), 16-23.

Hoofnagle et al (2019). The European Union general data protection regulation: what it is and what it means, Information & Communications Technology Law, 28:1, 65-98, DOI: 10.1080/13600834.2019.1573501

Levin, A., & Nicholson, M. (2005). Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground. U. Ottawa L. & Tech. J, 2(357).

Lippert, R., & Walby, K. (2013). Governing Through Privacy: Authoritarian Liberalism, Law, and Privacy Knowledge. Law, Culture And The Humanities, 12(2), 329-352. doi: 10.1177/1743872113478530

Nichols, L. (2001). Use of CCTV/Video Cameras in Law Enforcement, Executive Brief. Retrieved from

Norris, C., McCahill, M., & Wood, D. (2002). The Growth of CCTV: a global perspective on the international diffusion of video surveillance in publicly accessible space. Surveillance & Society, 2(2/3). doi: 10.24908/ss.v2i2/3.3369

United Nations (2019). The Right to Privacy in the Digital Age. Retrieved from

Mr. Choi holds a Master of Laws from London, a Master’s degree in Urban Planning of Heriot-Watt University, and is a Licentiate of the Royal Town Planning Institute. Formerly the Commercial Partner of a Hong Kong law firm, In-house Counsel of an Asset Management firm and a Sharing Economy IT platform, he has engaged in legal practice for almost two decades. Whilst offering service on the Appeal Panel at the Housing Authority, the Disciplinary Panel of Social Workers Registration Board, and the Market Misconduct Tribunal, he is presently undertaking further graduate legal research with Oxford University.