To be compliant with the law, camera traps must not store data locally but transmit it to the cloud
Abstract: So-called camera traps fall fully within the category of video surveillance systems and are therefore subject to the general framework of personal data protection law. Their use must fully comply with the principles and obligations set out in the GDPR, with particular regard to data security and the prevention of data breaches. Local data storage, even when encrypted, presents structural criticalities that are incompatible with the requirements of confidentiality, integrity, and availability, especially in cases of theft, damage, or accidental events. Remote data transmission to secure and compliant infrastructures therefore represents the only technically suitable solution to ensure the lawfulness of processing, in order to avoid significant administrative sanctions, civil liability, and, in the most serious cases, criminal liability. These consequences also apply when camera traps are used by local and national law enforcement authorities, as demonstrated by the sanction imposed on the Municipal Police of Taranto.
Keywords: #cameratraps #videosurveillance #GDPR #dataBreach #localStorage #remoteRecording #secureCloud #controllerResponsibility #GDPRsanctions #privacy #MassimilianoMancini #ethicasocietas #ethicasocietasjournal #scientificjournal #humansciences #socialsciences #ethicasocietasupli #italianlocalpoliceunion
Introduction
The term camera trap commonly refers to portable and easily concealable video surveillance systems equipped with motion sensors and cameras, mainly used for wildlife monitoring, environmental surveillance, the protection of private areas, and, in some cases, for scientific research purposes.
However, this commonly used designation has no legal relevance, as current legislation treats all video surveillance systems in the same manner, including from a terminological perspective (EDPB Guidelines 3/2019). Only certain systems are subject to additional obligations, such as body-worn cameras (Article 24(1)(b) of Legislative Decree No. 51/2018) and drones (Article 23(4) of Presidential Decree No. 15/2018), for which prior consultation with the Data Protection Authority is always required within the framework of a Data Protection Impact Assessment (Article 36 of Regulation (EU) 2016/679 – GDPR and Article 24 of Legislative Decree No. 51/2018) in order to be lawfully deployed.
Consequently, the fact that camera traps are not legally distinguished from other video surveillance systems means that they are subject to the same rules and, in particular, must implement adequate security measures and, above all, ensure that no data breach may occur.
The foundations of data processing security in the use of camera traps
For any processing operation to be secure and therefore lawful, both the processing itself and the tools used must explicitly guarantee certain minimum requirements (Article 32 of Regulation (EU) 2016/679 – GDPR):
-
the pseudonymisation and encryption of personal data;
-
the ability to ensure on an ongoing basis the confidentiality, integrity, availability, and resilience of processing systems and services;
-
the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
-
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.
These requirements are interconnected and must be met cumulatively rather than alternatively. Pseudonymisation or encryption, in particular, presupposes the availability and integrity of the data. This raises the question of how such guarantees can be ensured by a portable and movable storage system such as camera traps, which can easily be stolen or destroyed, including as a result of natural events such as fires, floods, or interference by wild animals.
It therefore appears evident that no camera trap can be considered secure—and thus lawful—if it stores data locally, and that the only technically viable measure capable of ensuring the lawfulness of processing is the remote recording of captured data, namely transmission via radio or cellular network to a cloud infrastructure compliant with AGID standards.
The risk of data breaches in the case of local storage, even if encrypted
The most serious risk associated with any data processing operation is a data breach, defined as a “personal data breach,” meaning a security breach leading, whether accidentally or unlawfully, to one or more of the following events (Article 4(12) of Regulation (EU) 2016/679 – GDPR):
-
destruction;
-
loss;
-
alteration;
-
unauthorised disclosure;
-
unauthorised access.
It is therefore clear that the mere encryption of personal data, even when effective and certified, can at best prevent the latter two events, but cannot in any way exclude destruction, loss, or alteration of data. These events may occur when a camera trap is stolen, destroyed, or tampered with, even accidentally, such as through the action of wild animals or in the event of fires or floods.
A data breach constitutes evidence of the failure of data protection policies and of the data controller’s compliance with legal obligations. It triggers the obligation to notify the supervisory authority without undue delay and, in any event, within 72 hours (Article 33 GDPR). The authority may then carry out inspections and investigations, and, where applicable, the data breach must also be communicated to all data subjects concerned—in this case, all individuals who may have been recorded by the camera trap (Article 34 GDPR).
Sanctions and liability for the use of non-compliant camera traps
The use of camera traps that do not ensure data processing security, as outlined above, may give rise not only to consequences in the event of a data breach, but also following complaints by data subjects—often triggered by the imposition of sanctions or the filing of reports—and may result in:
-
the invalidation of findings obtained through non-compliant means and procedures (Article 2-undecies of Legislative Decree No. 196/2003);
-
administrative fines of up to €10,000,000 (Article 83(4)(a) GDPR);
-
civil liability towards individuals unlawfully recorded (Article 82 GDPR);
-
in serious cases, criminal liability (e.g. unlawful interference with private life).
In any event, good faith or the aim of preventing crime or administrative offences does not exclude liability, as confirmed by decisions of the Data Protection Authority, such as the case concerning the unlawful use of camera traps by the Municipal Police of Taranto, which resulted in significant fines and further liabilities.
Conclusion
Camera traps are useful and versatile tools, but their use requires legal awareness and ethical responsibility. Compliance with data protection rules is not an obstacle, but rather a safeguard ensuring a balance between technological innovation, the protection of fundamental rights, and legitimate security or research needs.
Proper use requires careful planning of camera positioning, transparency in information provided to data subjects, and strict compliance with GDPR principles, so that technology remains at the service of the community and does not become a source of violations of personal dignity.
NOTES
[1] Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Decision No. 291/2021, point 4, pp. 7–8: “[…omissis…] Therefore, the processing activity at issue must be considered as presenting a high risk for data subjects and, since Article 24(1)(a) of the Decree applies, prior consultation is deemed necessary.”
[2] Presidential Decree No. 15/2018, Article 23 (Photographic, video and audio recording systems): “[…omissis…] 3. The processing of personal data collected through remotely piloted aircraft, in view of their potential intrusiveness, falls within the category of processing operations that present specific risks pursuant to Article 6. […omissis…].”
[3] Regulation (EU) 2016/679 (GDPR), Article 32 (Security of processing): “1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing. […omissis…].”
[4] Regulation (EU) 2016/679 (GDPR), Article 4 (Definitions): “1. For the purposes of this Regulation: […omissis…] (12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; […omissis…].”
[5] Regulation (EU) 2016/679 (GDPR), Article 33 (Notification of a personal data breach to the supervisory authority): “1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay. […omissis…].”
[6] Regulation (EU) 2016/679 (GDPR), Article 34 (Communication of a personal data breach to the data subject): “1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. […omissis…].”
[7] Legislative Decree No. 196/2003, Article 2-undecies (Inadmissibility of unlawfully processed data): “1. Personal data processed in violation of the applicable data protection legislation may not be used, without prejudice to the provisions of Article 160-bis.”
[8] Regulation (EU) 2016/679 (GDPR), Article 83 (General conditions for imposing administrative fines): “[…omissis…] 4. In accordance with paragraph 2, infringements of the following provisions shall be subject to administrative fines up to EUR 10,000,000, or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; […omissis…].”
[9] Regulation (EU) 2016/679 (GDPR), Article 82 (Right to compensation and liability): “1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered. […omissis…].”
LATEST CONTRIBUTIONS BY THE SAME AUTHOR
MAY 1, 1947, THE PORTELLA DELLE GINESTRE MASSACRE
A HISTORIC TURNING POINT: LAW 181/2025 RECOGNIZES THE SPECIFIC NATURE OF FEMICIDE
11/23/1980 — 45 YEARS AGO IRPINIA FELL AND THE ENTIRE NATION DISCOVERED ITS FRAGILITY
THE MUNICIPALITY OF SANT’EGIDIO ALLA VIBRATA (TE) CONVICTED FOR MOBBING
LATEST CONTRIBUTIONS ON PRIVACY
CAMERA TRAPS THAT RECORD DATA LOCALLY, EVEN WHEN ENCRYPTED, ARE UNLAWFUL
THE FRIA OBLIGATION FOR LOCAL POLICE
LATEST 5 CONTRIBUTIONS
THE END OF THE WARRIOR AND THE ANGEL: PSYCHOLOGY OF AN IDENTITY IN TRANSFORMATION
THE NEW METRO LINE C REACHES THE COLOSSEUM: HISTORY, DESIGN, AND ITS SIGNIFICANCE FOR ROME
PALANTIR AND THE RULE OF LAW: DATA POWER BETWEEN SECURITY AND LIBERTY
MAY 1, 1947, THE PORTELLA DELLE GINESTRE MASSACRE
DECEMBER 12, 1969: THE PIAZZA FONTANA BOMBING
Ethica Societas is a free, non-profit review published by a social cooperative non.profit organization
Copyright Ethica Societas, Human&Social Science Review © 2026 by Ethica Societas UPLI onlus.
ISSN 2785-602X. Licensed under CC BY-NC 4.0