By Anuradha Gandhi and Rachita Thakur
Introduction
The Supreme Court through its division bench comprising of Hon’ble Mr. Justice Dipankar Datta and Hon’ble Mr. Justice Manmohan dismissed a Special Leave Petition filed against the judgement of Calcutta High Court affirming that Closed-Circuit Television (hereinafter referred to as “CCTV”) cameras cannot be installed in a residential house without the consent of the co-trustee.[1]
Facts of the case
The case arose from the fact that the respondents had installed five CCTV cameras with motion detection features in the interior portion of the house where the appellant resided as per the trust deed, without his consent and for the purpose of protection of valuables preserved in the house. The contention of the appellant was that such an act caused a breach to his right to freely enjoying the property and thus violated his fundamental right of privacy under Article 21 of the Constitution.
The pivotal issue in this case was whether the installation of CCTV cameras in the residential portion of a house without the consent of the co inhabitant / co-trustee would amount to violation of his right to privacy?
Judgement
The court held that installation and operation of CCTV cameras inside the residential portion of the house without the consent of the co-trustee/inhabitant/appellant amounted to restrictions in his right to freely enjoyment of property and thus violated right to privacy under Article 21 of the Constitution.
Right to Privacy
The above judgement underscores that surveillance measures justified under the pretext of ‘safety’ have to be balanced against an individual’s ‘right to privacy’.
Traditional CCTVs have evolved into more complex Artificial Intelligence (hereinafter referred to as “AI”) based surveillance systems which are capable of processing wide range of sensitive personal data by utilizing technologies such as Automatic Number Plate Recognition (ANPR) or Facial Recognition Technology (FRT) in public spaces. While they serve legitimate interests like safety and security, some of these uses may be intrusive, especially if processing takes place without the knowledge of the individual.
These issues contemplate the need for video surveillance to be subjected to regular assessment to ensure its relevance and legality
- Personal Sensitive Data
Video surveillance footage collects and retains pictorial or audio-visual information about people entering the monitored space that are identifiable based on their looks or other specific elements. Such data comes under the category of ‘Personal Data’ as defined under the DPDP Act[2]. Such surveillance also processes personal data related to individual’s presence and behavior within a monitored area.
- Real-time Data
The use of AI-enabled CCTV cameras leads to real-time monitoring of individuals to track them, often resulting in continuous data collection and frequent updates. This can be more intrusive than traditional methods that record and store footage for limited periods. In public spaces, similar systems track pedestrian or vehicle movement or analyze behavior, raising concerns about personal data use[3]. - Notice
The primary issue with CCTV surveillance is the lack of notice among the public regarding the existence of surveillance and the subsequent processing of their data. The existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Rule 5(3) and the DPDP Act under section 5 requires the Data Fiduciaries (the entities which decides the means and purpose of processing data[4]) to inform and make individuals aware of monitoring through clear signage or notices including details like purpose of processing personal data, data retention periods, manner of exercising rights and making complaint with the appropriate authority.
- Informed Consent
Consent is an indication of an individual wish, by way of a statement or by a clear affirmative action, which manifests its agreement to process personal data. For every processing of personal data, consent must be acquired which at all times must be free, informed, specific, clear and capable of being withdrawn[5].
- Reasonable Privacy Expectation
In general, data fiduciaries should avoid using CCTV in circumstances where a reasonably high expectation of privacy exists. For instance, spas, toilet facilities or changing rooms. The landmark judgement of K.S. Puttaswamy v. Union of India[6], addressed the concept of Reasonable Privacy Expectation in intimate places and stated that such expectation of privacy is not only confined to intimate spaces such as bedroom or washroom, but also includes public places as well, and such privacy is not lost merely because an individual is in a public place.[7] - Retention Periods
A clear data retention policy is required clearly specifying the period of retention in the case of CCTV footages. For instance,
The Supreme Court, in the case of Paramvir Singh Saini vs Baljit Singh, directed that all Police Stations must be equipped with CCTV cameras that have night vision capability and must capture both audio and video footage. These systems must also include recording facilities, with data retention for a period of 18 months. If the existing cameras are unable to support such storage, it shall be mandatory for all States, Union Territories and the Central Government to procure systems that offers the longest possible storage duration which in any case should not be less than 1 year.[8]
- Data Minimization
The principle of data minimization requires that personal data be collected, stored, processed and retained only to the extent necessary and relevant for a clearly defined purpose. Data fiduciaries must not transfer digital templates between different biometric systems, in order to prevent any unauthorized further processing.
- Balance of Rights and Purpose limitation
Right to privacy is not absolute. CCTV surveillance needs to be balanced with individual privacy rights against legitimate interests of business such as workplace security, compliance with regulations or operational efficiency. The KS Puttaswamy Judgement[9] introduced a test to determine whether a surveillance measure that affects is constitutionally valid:
- Action must be backed by law
- Such action is necessary to substantiate a legitimate claim
- The degree of such interference should be proportional to the necessity of it
- There must be procedural safeguards in place to prevent misuse of such interference
Intersection of AI and CCTV surveillance
What if CCTV Footage is used to make decisions about the individual?
Besides privacy concerns, AI– powered surveillance cameras may produce biased outcomes based on an individual’s age, gender, ethnicity or other demographic attributes. Recently, the French Data Protection Authority (CNIL) concluded that facial analysis technologies used to estimate age are neither necessary nor proportionate. This conclusion stems from the fact that such systems can only estimate age, not determine it with certainty and are prone to errors and bias inherent in AI-based analysis. Therefore, CNIL has recommended verification through physical documents or other methods which use lesser personal data of individuals.[10]
AI-enabled CCTV cameras are regulated by the European Union Artificial Intelligence Law (hereinafter referred to as “EU AI Act”). Section 5(1) (e) of the EU AI Act prohibits the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from CCTV footage as such practice could lead to mass surveillance affecting right to privacy. The use of biometric identification systems (RBI) by law enforcement is also prohibited in principle, except if strict safeguards are met and subject to specific prior judicial or administrative authorization for instances such as a targeted search of a missing person or preventing a terrorist attack.[11]
These systems are therefore classified as ‘high risk’ under the EU AI Act, and requires extensive testing before being placed on the market. The companies must:
- Cybersecurity: Ensure high standards of cybersecurity and system accuracy
- High-Quality Data: Use accurate, diverse training and real-world data to avoid bias or discriminatory outcomes
- Data Protection Compliance: The collection, processing and storage of biometric data must met with applicable data protection laws of the respective country.
Conclusion
Considering the volume of information collected and/or processed, it is essential to be transparent about the data processing activities and a layered approach may be adopted. First layer of information may be a warning sign showing the relevant information in a clearly readable manner and the second layer of information should be made available publicly at a place to the individuals, for example as a complete information sheet available at a central location such as at reception or information desk.
Rishabh Gupta, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.
[1] Indranil Mullick &Ors. Vs. Shuvendra Mullick, 09-05-2025, Special Leave to Appeal (C) No. (s). 12384/2025
[2] Section 2(t) of Digital Personal Data protection Act, 2023, Any data about an individual who is identifiable by or in relation to such data is termed as Personal data
[3] https://www.cnil.fr/fr/cameras-augmentees-espaces-publics-position-cnil , Guidelines 3/2019 on processing of personal data through video devices, available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf
[4] Section 2(i) of Digital Personal Data Protection Act, 2023
[5] Section 6 of Digital Personal Data Protection Act, 2023
[6] Writ Petition (Civil) no. 494 of 2012
[7] Chandrachud, J, at para 3(f), J. Bobde at para 22, K.S. Puttaswamy v. Union of India
[8] Para 17, Paramvir Singh Saini vs Baljit Singh, SPECIAL LEAVE PETITION (CRIMINAL) NO.3543 of 2020
[9]JUSTICE KS PUTTASWAMY (RETD.) & Anr. vs. UOI, [2017] 10 S.C.R. 569