Ireland

The Irish Data Protection Commission (DPC) has published guidelines on the use of both outward and inward-facing dashcams. Where a person processes personal data in a purely personal capacity, then they may be able to avail of the 'household exemption' under the General Data Protection Regulation (GDPR). However, the DPC makes clear that this exemption is narrowly construed and that whether the exemption applies will be closely considered where someone is using surveillance technology, such as dashcams, that records video and/or audio in a public space. 

Relevant legislation

Any use of dashcams needs to comply with the GDPR. The DPC has additionally published guidelines interpreting how the GDPR applies to dashcams. While these guidelines are not legally binding, they are persuasive and indicative of how the DPC will treat the issue as a regulator.

Data protection considerations and best practices

The following things should be considered where you are the controller:

• Transparency: There should be a sticker or another visible sign on or inside the vehicle that makes clear that the person is being recorded. A policy should be available online or where someone requests it from the organization.
• Data retention: Footage should not be held indefinitely and any retention needs to correspond to the purpose for which the data is being processed. For example, recordings of an accident could be retained for use in a criminal investigation.
• Right of access: If someone inquires whether there is a recording of them, the right of access means that it has to be confirmed whether a recording exists. Where there is a recording of someone, they have a right to access it.
• Publication of footage: You should consider not widely disseminating the footage, such as on social media, as you will need to ensure that you have a legal basis for doing so.
• Sharing with law enforcement: Irish law enforcement can request a copy of dashcam footage when investigating a crime under §41 of the Irish Data Protection Act as long as they can demonstrate that the footage is necessary for investigation or prosecution.

Germany

There is a landmark judgment of the German Federal Court of Justice (Bundesgerichtshof) on the use of dashcams and on the question of whether unlawfully collected dashcam recordings may still be used as legal evidence (see under 1.1). In addition, German data protection authorities have expressed their views on the use of dashcams (see under 1.2).

Relevant legislation

1.1 The judgment of the German Federal Court of Justice

In 2018, the Bundesgerichtshof decided on the permissibility of the processing of personal data with dashcams based on the old German implementation of Directive 95/46 EC (judgment in German here). While the legal framework as such is no longer applicable, the main findings in the case should equally apply under the GDPR, given that a balancing of interests was performed by the German court. 

The court found that a permanent recording of all events along the route without cause is not necessary to safeguard the interests of the operator of a dashcam (paragraph 19) and that legitimate interests cannot prevail in the case of permanent recording without cause (paragraph 26). At the same time, the court also mentions possibilities to implement measures (paragraphs 25 and 26) which may result in the data processing being permissible (see further below under 'Data protection considerations (…)'). According to the judgment, unlawfully collected dashcam recordings may still be used as legal evidence. If they may be used or not is assessed based on a case-by-case comprehensive balancing of opposing rights and interests.

1.2 Opinions of German data protection authorities

One challenge often mentioned by German data protection authorities is ensuring compliance with the principle of data minimization and that the necessity is fulfilled as one criterion of the balancing of interests test. According to the German supervisory authorities, permanent data storage without cause is not permitted (see in German here). So far, the German data protection authorities have not sanctioned event-related recording and storage for a period of approximately 30 seconds to one minute before a triggering event, and up to approximately 30 seconds to one minute after an incident (see in German the Commissioner of the state of Niedersachsen here). According to the German authorities, event-related storage can be triggered by manual actions (memory buttons), unusual vehicle movements (G-sensors), or indications for dangerous situations (emergency braking).

German authorities have been stressing the importance of fulfilling obligations to inform under Article 13 of the GDPR (see in German here on page 2). The authorities cited the possibility of displaying the name of the controller, a video surveillance pictogram, and a short, easy-to-remember internet address on the various sides of the vehicle in a clearly visible manner. It is worth mentioning that vehicles in Germany do not typically look like this when a dashcam is used in practice.

In principle, there is a provision regulated in Section 4 of the German Federal Data Protection Act that shall apply to video surveillance conducted in publicly accessible areas and which could be relevant for dashcams. However, the German Federal Administrative Court decided in 2019 that this provision violates EU law and needs to remain unapplied (judgment in German here). The main legislation applicable to the processing of personal data when using dashcams is therefore the GDPR. The legal basis for the use of a dashcam is Article 6(1)(f) of the GDPR.

In cases where dashcams used also record voices, Section 201(1) No. 1 German Federal Criminal Code may also apply if there is no sufficient legal basis for the recordings. It is currently highly debated if only the legal basis explicitly regulated in the Criminal Code may allow such recordings or if the GDPR's legal basis may also apply and result in the recordings being 'authorized' and Section 201(1) No. 1 German Federal Criminal Code not applying at all.

Data protection considerations and best practices

Dashcams are used mostly to be able to trace the course of an accident and, if necessary, to use the video as evidence in court or for the settlement of claims and clarification of liability issues. To ensure that dashcam recordings are also compatible with data protection, data processing must be in balance with both the rights and interests of the driver and of people in the public sphere. To ensure that data processing is necessary, one has to avoid permanent recordings and long retention periods. As described above, only event-related recording is acceptable for the German supervisory authorities. It is important to note that event-related recordings should also be deleted if they are no longer needed because an accident, for example, did not occur. Additionally, one could consider reducing the level of interference by means of pixelation of persons who are recorded by the dashcam far from the road. If a dashcam automatically stores all recordings until the memory card is full, one could consider using a memory card with a small storage space. 

In addition, the obligations to inform pursuant to Article 12 of the GDPR must also be taken into account. In German literature, some scholars have pointed out that Article 11(1) of the GDPR could apply as an exemption for the obligations to inform and that paragraph 2 of this provision is relevant to data subject rights. Since the identification of road participants is mostly not necessary, Article 11 of the GDPR should, in principle, be relevant.

Lastly, it should be noted that if microphones are integrated into dashcams, participants in the conversation should be made aware of this fact, as in addition to a violation of the GDPR, the criminal offense of Section 201(1) No. 1 German Criminal Code may also be relevant otherwise.

Netherlands

The use of dashcams is becoming increasingly popular in the Netherlands. Some drivers passively use a dashcam to provide an additional source of evidence in the event of a collision. Other drivers actively seek interesting clips, for example of poor driving, to share on the internet. In this article, the legislation applicable to these use cases is explored.

Relevant legislation

There is no legislation that specifically regulates the use of dashcams in the Netherlands. However, the GDPR may apply to the use of a dashcam if it is used to process personal data. This will likely be the case if the dashcam records other people. Recorded vehicle registration plates may also constitute personal data if the dashcam user (or a further recipient of the footage) has a reasonable way of identifying the vehicle's registered owner.

Even if personal data is processed, the GDPR may still not apply if the use of the dashcam falls within the GDPR's 'purely personal or household processing' exemption. The Dutch data protection supervisory authority, the Autoriteit Persoonsgegevens (AP), has issued guidance on this exemption (available in Dutch here). In summary, the AP considers that the exemption does not apply if personal data is published to an unlimited number of people on the internet.

Dashcam users should also be aware that the Dutch police could legally require the footage to be handed over if they believe it constitutes evidence in an investigation.

Data protection considerations and best practices

Taking into account the AP's guidance, users who record dashcam footage just to watch themselves likely fall within the 'purely personal or household processing' exemption. In contrast, dashcam users who want to publish footage containing personal data on the internet are unlikely to be able to rely on this exemption. This means that the requirements of the GDPR apply to such dashcam users and they will be classified as a data controller. Such users need a lawful basis for processing the personal data. The AP suggests that consent is appropriate in such use cases (see AP guidance in Dutch here).

In practice, however, consent will be difficult to obtain. Therefore, dashcam users should consider blurring or otherwise removing any personal data (e.g., people's faces) from dashcam footage before it is published online. They should also consider implementing an automatic deletion cycle for such footage so that it is not retained for an unlimited time.

Security surveillance

Drivers sometimes also use dashcams as an additional security measure while the vehicle is parked. In cases where the vehicle is parked and the dashcam films people in public spaces, users are also likely to be classified as data controllers. If the filming is necessary for security purposes, dashcam users may be able to rely on legitimate interest as a lawful basis.

However, it is important to consider whether this is proportionate and for how long such data should be stored. In 2023, the AP engaged with Tesla on this issue, which resulted in Tesla making changes to its 'Sentry Mode' to improve its privacy practices. Notably, however, the AP states that the vehicle owner is the data controller in such circumstances (see more in Dutch here).

Italy

Dashcams installed in vehicles serve two primary purposes: security and insurance. They can record the vehicle's interior to deter acts of wrongdoing and capture exterior footage to determine fault and expedite claims in road accidents. However, these devices can capture significant personal data, posing privacy risks that must be considered.

Relevant legislation

Dashcam use in Italy is not explicitly regulated by specific laws or addressed by the Italian data protection authority (Garante). In the absence of specific regulations, users must comply with principles outlined by Article 5 of the GDPR, and the Guidelines 3/2019 on processing of personal data through video devices from the European Data Protection Board (EDPB) are surely of help for applicable requirements in Italy.

Data protection considerations and best practices

Firstly, there are cases where data protection considerations are unnecessary. Namely, the EDPB clarifies that the GDPR does not apply to:

• data processing that does not involve an identifiable person (e.g., a dashcam used solely for parking assistance that does not collect any information relating to individuals); and
• processing of personal data for purely personal or household activities (e.g., a dashcam recording exclusively the interior of the vehicle - which is not a public space but can be considered a private domain).

When dashcam use does not fall under these exemptions, it is essential to ensure that the processing is lawful - i.e., that there is a valid legal ground for the processing of personal data via a dashcam.

To reduce the risk of any potential data protection violation while using dashcams, the following practices - also taking into account the EDPB guidelines - should be followed:

• Expectations of data subjects: The EDPB recognizes that collecting evidence in case of a road accident can be a legitimate interest and serve as a valid legal basis. However, this must be balanced against third parties' reasonable privacy expectations. For example, dashcams should not constantly record traffic or individuals near a road, as the potential benefit of video evidence does not justify infringing on data subjects' rights. Furthermore, dashcams should not be used in public areas with higher privacy expectations, such as restaurant tables, parks, or areas outside bars. Another prohibited scenario is using dashcams to record the exterior of a parked and switched-off vehicle.
• Field of view: The dashcam's field of view shall be restricted to what is strictly necessary for the intended purposes (e.g., detecting accidents or damages).
• Movement detection: Dashcams shall record only upon detecting movement within their field of action.
• Retention period: The retention period shall be limited to ensure that data is stored only for the duration necessary to achieve the intended purpose (a period longer than 24 hours is likely not to be considered appropriate).
• Data deletion: Once the retention period has elapsed, data shall be automatically overwritten or however deleted.
• Data-protection measures: Adequate measures shall be implemented to prevent accidental loss or unlawful dissemination of personal data.
• Scope and scale: The larger the scope of data collected, the greater the measures required to enhance data security. For example, in the case of pedestrian areas, stricter data security measures might be taken into account (e.g., reducing the retention period and blurring pedestrians' faces).

Finally, beyond potential privacy violations, criminal liability may arise depending on the actual usage of the dashcam by the relevant user. Using/installing a dashcam that records public spaces could be criminally relevant under Articles 617-bis (which punishes the unlawful possession of devices capable of intercepting communications) and Article 623-bis (which extends this to any means of transmitting sounds, images, or data) of the Italian Criminal Code. In any case, this should not prevent the commercialization of this kind of device.

Victoria Prescott Team Lead, Editorial
[email protected]
Cristina Die González Editor
[email protected]
Isabelle Strong Editor
[email protected]

Comments provided by:

Nina Milosavljevic Senior Associate
[email protected]
Mason Hayes & Curran LLP, Ireland

Sandra Häntschel Lawyer
[email protected]
Philipp Quiel Business Lawyer
[email protected]
Piltz Legal, Berlin

Laura Monhemius Senior Legal Counsel
[email protected]
ICTRecht, Amsterdam

Gianluigi Marino Partner
[email protected]
Alessandra Potini Tech Law Trainee
[email protected]
Osborne Clarke, Milan