Latest News & Insights

Athentic Consulting’s team of experienced experts bring you the
latest news and insights in law and regulations.

AI CCTV and Smart Surveillance: Privacy Challenges in the Digital Age

What Are AI CCTV and Smart Surveillance?

Artificial intelligence has transformed ordinary security cameras (CCTV) into smart surveillance systems capable of automatically detecting, identifying, and tracking people or events through video analytics, something traditional cameras simply couldn't do.

In Thailand, AI CCTV is being adopted across both the public and private sectors: government agencies use it to strengthen safety in public spaces, while businesses use it to improve operational efficiency. That said, deploying this technology comes with real challenges around privacy, transparency, and appropriate use, all of which must align with Thailand's Personal Data Protection Act (PDPA).

Detection and Recognition: Where Privacy Gets Complicated

Today's AI CCTV systems can analyze people in the video frame at varying levels of depth. Understanding where a system falls on this spectrum is essential for PDPA compliance, especially when it comes to biometric data, one of the most sensitive categories of personal information.

There are two main levels of AI CCTV operation: Detection and Recognition, each carrying a different level of impact on individuals' rights and freedoms.

Detection means the system identifies that a person or object is present in a scene, for example counting people, spotting movement, or distinguishing a human silhouette from the background. The system cannot identify who that person is. From a legal standpoint, detection-level processing doesn't produce data that directly identifies individuals, so the risk to people's rights and freedoms is relatively low.

Recognition goes a step further. The system can link what it sees to a specific person, for example through Facial Recognition Technology (FRT), by matching a face against a database, or by analyzing unique biological features known as a biometric template to verify someone's identity.

Some AI CCTV systems now offer Live Facial Recognition Technology (LFT), which automatically scans and analyzes faces in real time as people walk past the camera, then checks them against a pre-loaded database. Even if the system is only looking for specific individuals, it technically has to process every face in the frame to do so, which has significant implications for everyone in that space.

This distinction matters enormously under data protection law. When AI processes a facial image to identify someone, that data may qualify as biometric data, a type of sensitive personal data under Section 26 of the PDPA, requiring a higher standard of protection than ordinary personal data.

Case Studies: AI CCTV in Different Contexts

As AI capabilities become increasingly woven into CCTV systems, from facial recognition and behavior analysis to movement tracking and emotion detection, the privacy stakes rise significantly, with growing potential to affect individuals' rights and freedoms.

Thailand is seeing wider adoption of AI CCTV across different settings. Take the Royal Thai Police, a public agency responsible for national security and public safety, which has deployed AI CCTV in public spaces to detect and identify suspects with active arrest warrants. The system uses facial recognition to compare faces against a criminal database and instantly alerts nearby officers through integration with the Criminal Investigation Bureau's warrant system. Under Section 4 of the PDPA, government agencies carrying out national security or public safety functions are exempt from the Act's requirements. Even so, these agencies still need legal authority from specific legislation, namely the National Police Act B.E. 2565 and the Criminal Procedure Code, which grant powers for investigation, evidence collection, and arrest under court-issued warrants. This approach aligns with the EU AI Act, which permits remote biometric identification in public spaces only for serious cases such as pursuing suspects in grave crimes, and only with prior judicial authorization.

For the private sector, shopping malls often use AI CCTV in ways that don't identify individuals, such as counting foot traffic, mapping how visitors move through the store, or analyzing shopping patterns. This kind of anonymous behavioral analysis can rely on the Legitimate Interest basis under Section 24(5) of the PDPA, since no individual is being singled out and the risk to personal rights is low. A Legitimate Interest Assessment (LIA) must still be conducted to weigh business interests against individuals' rights, and a clear Privacy Notice must be provided to visitors. This approach is consistent with the European Data Protection Board's Guidelines 5/2022 and the UK ICO's guidance on video surveillance.

That said, not all AI CCTV systems work the same way. In some cases, AI may only detect anomalies in a controlled access area, such as identifying that someone is attempting to enter a restricted zone, and alert the relevant staff to investigate further. This kind of system may operate purely at the detection level without identifying who that person is, and may rely on Legitimate Interest as its legal basis, provided the organization can demonstrate the necessity, appropriateness, and proportionality of the processing.

Some organizations also combine AI CCTV with facial recognition to control entry into restricted areas by pre-enrolling authorized employees' biometric templates in the system for identity verification. This is more legally complex. Technically, the system must scan and compare every face that appears in front of the camera before it can determine whether someone is permitted to enter, meaning the facial data being processed likely qualifies as biometric data under Section 26. For this reason, organizations should obtain Explicit Consent from every individual whose facial data will be enrolled in the system before any processing takes place.

How to Use AI CCTV in Compliance with Data Protection Law

Drawing from Thai and international examples, here are practical steps organizations should follow when deploying AI CCTV in line with personal data protection law.

  1. Clarify the type of processing before installation. Organizations must determine upfront whether the AI is only detecting, such as counting people or analyzing movement without creating individually identifiable data, or recognizing, meaning it generates facial templates to match against a database. These two uses carry entirely different legal obligations.
  2. Choose the right legal basis for the type of processing. For anonymous behavioral analysis, Legitimate Interest under Section 24(5) may be sufficient, provided the organization completes an LIA to demonstrate necessity and proportionality. For biometric data processing, Explicit Consent from each individual is typically required.
  3. Provide clear and complete AI CCTV and Privacy Notices. Organizations must inform people that AI CCTV is in use, including the purpose of the processing, the types of data collected, how long it will be retained, and individuals' rights under the PDPA. It should be clearly stated which personal data is processed by AI and in what manner. Visible signage must also be placed at a point where people can see it before entering any area covered by the system.
  4. Prepare a Consent Form for biometric data. Where the system stores individuals' facial images in a database for identity matching, Explicit Consent must be obtained before enrolling anyone. A clear mechanism for refusing or withdrawing consent must be provided, and consent for biometric data must be obtained separately from any other consent requests.
  5. Conduct a Data Protection Impact Assessment (DPIA). For high-risk systems, particularly those involving facial recognition or matching against named watchlists, a DPIA should be completed before going live to assess necessity, proportionality, and risk mitigation measures.
  6. Set security measures and data retention limits. All data collected, whether through general processing or AI-specific techniques, must have a defined retention period and be securely deleted when no longer needed. Measures must be in place to prevent unauthorized access and reduce the risk of data breaches.
Summary

AI CCTV is transforming ordinary security cameras into smart surveillance tools capable of analyzing and identifying individuals. Organizations deploying these systems must operate in full compliance with the PDPA, giving careful thought to biometric data processing, transparency, consent, risk assessment, and data security, in order to genuinely protect the rights and freedoms of the people whose data they collect.

References

  • Information Commissioner’s Office (ICO), Guidance on Video Surveillance Including CCTV (last updated 21 June 2023).
  • National Institute of Standards and Technology (NIST), Face Detection, NIST Glossary (2025).
  • National Institute of Standards and Technology (NIST), Face Recognition, NIST Glossary (2025).
  • กองบรรณาธิการวอยซ์ออนไลน์, “กทม. ผนึกกำลังตำรวจ ใช้ AI CCTV เฝ้าระวังเข้ม ยกระดับความปลอดภัยสงกรานต์ 2569” (11 เมษายน 2569).
  • พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562, มาตรา 4 (2).
  • Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), Article 5
  • European Data Protection Board (EDPB), Guidelines 05/2022 on the Use of Facial Recognition Technology in the Area of Law Enforcement (Version 2.0, adopted 17 May 2023).
  • Information Commissioner’s Office (ICO), ICO Opinion: The Use of Live Facial Recognition Technology in Public Places (18 June 2021).
Palita Rungravee
Lead - Legal Technology Counselor
Rachanipak Preechachan
Legal Technology Counselor
About ATHENTIC News & Insights Our Services Contact us Career