This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

This article is the jurisdiction map for the surveillance compliance block, written for the founder, product manager, security integrator, or operations lead who has to ship one system into more than one country and cannot afford to discover a law after the cameras are live. The other Block 6 articles go deep on single regimes — GDPR for video surveillance for the EU baseline, BIPA and US biometric privacy law for the American minefield — and this one zooms out to show how those regimes relate, where they conflict, and how a cross-border product reconciles them without forking into a dozen legal variants. You do not need a legal background to read it. Every regime is named with its law and year, every claim is tied to a primary source, and the goal is to leave you able to look at a deployment map and say, in plain terms, which rules bite where and which one sets your floor.

The three questions that split the map

Before any country-by-country detail, fix the framework. Almost every difference between regimes is an answer to one of three questions, and once you can ask them you can read any new jurisdiction quickly.

Question one: is ordinary video already personal data? In most of the strict regimes, the moment a camera records footage from which a living person can be identified — by their face, their gait, a uniform, a licence plate, the context — that footage is "personal data" and the whole privacy law applies to it, before any analytics run. The European Data Protection Board states this directly in its Guidelines 3/2019 on processing personal data through video devices. Other regimes only switch the law on when something more than plain recording happens, which means the same camera can be lightly regulated in one country and fully regulated in another.

Question two: is a face template a higher category with its own gate? Recording someone's face is one thing; converting that face into a mathematical template that can identify them — the step that turns video into face recognition — is treated far more harshly almost everywhere that regulates it. The EU calls it "special category" data under GDPR Article 9; US biometric statutes, Canada, Brazil, China, and Australia all build a separate, higher consent gate around it. This is the single sharpest line on the whole map, and the one that most often decides whether a feature is shippable in a region at all.

Question three: who is watching, and where? Public space and private space are governed differently, and — counter to most people's intuition — public space often carries more restriction, not less, because a public authority pointing cameras at citizens raises constitutional and human-rights questions that a shop watching its own floor does not. The split between a private operator securing its own premises and a public authority conducting mass surveillance runs through every regime and frequently has its own rulebook.

Three gates decide surveillance law in any region: is video personal data, is a face template special, and who watches where. Figure 1. The three questions that split the map. Each jurisdiction answers them differently, and the answers — not the country's reputation — tell you how heavily a deployment is regulated.

Hold these three questions in mind as the regions go past. The map is just the same three answers, filled in differently.

The reach trap: your subjects' location decides the law, not yours

The most expensive misunderstanding in cross-border surveillance is the belief that a company is governed by the law of the country it operates from. It is not. Modern privacy laws reach outward to protect their own residents wherever the processor sits.

GDPR Article 3 is the clearest example: the regulation applies to an organisation with no EU presence at all if it offers goods or services to people in the EU or monitors their behaviour — and tracking people through cameras and analytics is monitoring. A US-headquartered company running analytics on footage of people in Germany is inside GDPR. China's Personal Information Protection Law and Brazil's LGPD carry similar extraterritorial hooks. The consequence is simple and easy to get wrong: the law follows the person in front of the camera, not the address on your incorporation papers. A single product with users in three regions answers to three regimes at once.

Common mistake: "We're a US company, so GDPR doesn't apply to us." It applies the moment you process footage of people located in the EU, regardless of where your servers or staff are. The same logic runs in reverse — an EU vendor selling into Illinois inherits BIPA exposure. Map your obligations by where your subjects are, never by where your office is.

The European Union: the high-water mark

The EU is where surveillance law is strictest, which is why it tends to set the global baseline for any product that touches Europe. Two instruments stack on top of each other.

The first is the General Data Protection Regulation (Regulation (EU) 2016/679). Plain video of an identifiable person is personal data; a face template used to identify someone is special-category biometric data under Article 9, prohibited by default unless a narrow exception (such as explicit consent) applies; and a high-risk camera deployment needs a Data Protection Impact Assessment under Article 35. The EDPB's Guidelines 3/2019 translate all of this into video specifics. We go through the mechanics in GDPR for video surveillance; the point here is that the EU answers all three framework questions in the strictest direction at once.

The second, newer instrument is the EU AI Act, which regulates the analytics, not just the data. It bans real-time remote biometric identification — live face matching of the public — by law enforcement in publicly accessible spaces, with only narrow, authorised exceptions; that prohibition has been in force since 2 February 2025. The Act's heavier "high-risk" obligations for biometric systems were originally due to apply from 2 August 2026, but under the Digital Omnibus political agreement reached on 7 May 2026 those duties for standalone high-risk systems (Annex III, which includes biometrics) are deferred to 2 December 2027, pending formal adoption. For a builder, the takeaway is durable even while the date moves: in Europe, public live face recognition is largely off the table, and the rest of biometric analytics is heading toward a high-risk compliance regime.

The United Kingdom: close to the EU, drifting at the edges

After leaving the EU, the UK kept GDPR as UK GDPR alongside the Data Protection Act 2018, so the core answers — video is personal data, biometrics are special category — still match Europe. The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, amends that framework at the edges (easing some processing and automated-decision rules) without changing the fundamentals for surveillance.

What makes the UK its own entry on the map is a second layer specific to public-space cameras. The Information Commissioner's Office publishes detailed CCTV guidance under UK GDPR, and a separate Surveillance Camera Code of Practice governs public authorities in England and Wales, overseen by a Biometrics and Surveillance Camera Commissioner (a permanent appointment was restored in late 2025 after the role sat vacant). Police use of live facial recognition remains legally contested and operationally constrained rather than freely available. The UK is a useful reminder that "close to the EU" is not "identical to the EU" — the divergence is real and worth checking per feature.

The United States: no federal law, fifty answers

The US is the hardest region to summarise because there is no comprehensive federal privacy law. Instead there is a sectoral floor (rules for health data, children, and the like) and a fast-growing state patchwork on top.

By 2026, roughly twenty states have comprehensive consumer-privacy laws in effect, and almost all of them classify biometric data — including a face template — as "sensitive data" that needs a higher bar to process (opt-in consent in most; an opt-out of sensitive-data use in California). That is the second framework question answered at the state level. On top of that sit three dedicated biometric statutes: Illinois's Biometric Information Privacy Act (BIPA, 740 ILCS 14), Texas's CUBI, and Washington's biometric law.

One difference among them dominates everything: enforcement. Texas and Washington are enforced only by the state attorney general. Illinois is the outlier — BIPA gives individuals a private right of action, so a person whose face geometry was captured without the required written consent can sue directly, with statutory damages per violation. That single design choice has made Illinois the centre of US biometric litigation and the reason a face-recognition feature is a different risk in Chicago than in Houston. The full mechanics live in BIPA and US biometric privacy law; the regional point is that within one country the biometric gate ranges from "attorney-general only" to "anyone can sue you."

Public space adds its own twist. For a private operator watching its own premises, US law is relatively permissive — there is generally no reasonable expectation of privacy in a public-facing area, and recording video is broadly allowed. But government face recognition is restricted in a growing list of places: more than a dozen cities have banned police use of the technology outright, and several states limit it. And audio is its own regime — recording sound can trigger wiretap "all-party consent" laws in roughly a dozen states, a point we cover in consent and notice for surveillance. The US is not one answer; it is fifty, plus the cities.

The rest of the map, quickly

The other major regimes mostly land between the EU's strictness and the US's permissiveness, each with a local twist worth knowing.

Canada runs federal and provincial law in parallel. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs private-sector data, and the Office of the Privacy Commissioner issued updated biometric guidance in August 2025 stressing appropriate-purpose, consent, and minimisation. Quebec's Law 25 is stricter still: it requires a privacy impact assessment, opt-in consent, and — uniquely — that you notify the regulator (the CAI) before creating a database of biometric data. Canada is two strictness levels in one country.

Brazil applies the LGPD (Lei nº 13.709/2018), which, like GDPR, treats biometric data as sensitive personal data requiring a higher basis. The data-protection authority, the ANPD, opened a public consultation on biometric processing in 2025 and has biometrics on its 2025–2026 regulatory agenda, even as large public face-recognition programmes (São Paulo's Smart Sampa) run ahead of settled rules.

China is strict in a different direction. Under the Personal Information Protection Law, facial data is sensitive personal information, and the Security Management Measures for the Application of Facial Recognition Technology (issued by the CAC and Ministry of Public Security, effective 1 June 2025) add hard operational rules: separate consent, a default that facial data is stored locally and not transmitted over the internet unless specifically authorised, registration with regulators when processing the faces of more than 100,000 people, and a ban on compelling face scans for routine access such as hotel check-in or entering a residential community. China pairs heavy state surveillance with genuinely strict rules on private commercial use — and a data-residency mandate that directly shapes where your servers must sit.

India enacted the Digital Personal Data Protection Act in 2023 and notified its implementing Rules on 14 November 2025, but the substantive obligations phase in over time, with the core compliance duties landing around May 2027. Notably, the DPDP Act does not carve out a separate "sensitive" or biometric category the way GDPR does — a structural difference worth flagging for any India deployment.

Australia protects "sensitive information," which expressly includes biometric templates, under the Privacy Act 1988 and Australian Privacy Principle 3 — you generally cannot collect it without consent. The Privacy and Other Legislation Amendment Act 2024 added a statutory tort for serious invasions of privacy and automated-decision transparency duties. The regulator's 2024 determination that a major retailer breached the Act by running face recognition on shoppers without consent (later partly revisited on review) is the clearest signal in the region that private retail face matching is firmly in scope.

The regional comparison, side by side

The table compresses the map. Read it as the three framework questions, answered per region, with the enforcement reality that decides how much each answer hurts.

Region / law Plain video = personal data? Biometric (face template) gate Enforcement teeth Notable 2025–26 development
EU — GDPR + AI Act Yes Special category, Art. 9; consent/DPIA Regulators; fines to 4% turnover Public live face matching banned (AI Act Art. 5)
UK — UK GDPR + DPA 2018 Yes Special category ICO; separate camera code Data (Use and Access) Act 2025 reforms
US — Illinois — BIPA Via state law Written consent before capture Private right of action + statutory damages Litigation centre of gravity
US — most states Sensitive-data rules "Sensitive data," opt-in/opt-out Attorney general ~20 comprehensive laws now in effect
Canada / Quebec — PIPEDA / Law 25 Yes Consent; Quebec: notify regulator first OPC / CAI OPC biometric guidance (Aug 2025)
Brazil — LGPD Yes Sensitive personal data ANPD Biometric consultation; rules pending
China — PIPL + FR Measures Yes Separate consent; local storage CAC / MPS; registration > 100k FR Measures in force 1 Jun 2025
India — DPDP Act Yes (on phase-in) No separate biometric category Data Protection Board Rules notified; duties ~May 2027
Australia — Privacy Act Yes "Sensitive information," consent OAIC; new statutory tort Retail face-recognition enforcement

Volumes, dates, and counts are current to mid-2026 and move with each legislative cycle — re-check the named law before relying on a row.

Regional comparison: how the EU, UK, US, Canada, Brazil, China, India, and Australia answer the three questions. Figure 2. The same three questions, answered by region. The biometric gate and the enforcement column are where deployments most often succeed or fail.

Public versus private space: the axis that flips intuitions

It is worth isolating the third framework question, because teams get it backwards. The instinct is "it's a public space, so we can film anything." For a private operator that is partly true in some regimes — but two things complicate it everywhere.

First, "public space" rarely means "no rules." EDPB Guidelines 3/2019 make clear that filming identifiable people in a public area is still processing their personal data, with all the duties that follow. Public, in EU terms, is not a free pass; it is a setting that usually demands more justification, because the people captured did not choose to be there.

Second, the identity of the watcher matters more than the place. A shop watching its own floor, a city watching a square, and the police running live face matching across a crowd are three different legal animals even in the same square metre. Public-authority surveillance tends to carry extra rules — the UK's separate camera code, the EU AI Act's near-ban on public live biometric identification, US city bans on police face recognition — precisely because the state watching citizens is the case privacy law worries about most.

Public versus private space and operator: who may watch where, and where the biometric ban bites hardest. Figure 3. The watcher matters as much as the place. Private-premises monitoring is the most permissive corner; public-authority live biometric identification is the most restricted.

Strictest-wins: how one product complies with all of them

Here is the practical heart of the article. You cannot economically build a separate product for every jurisdiction, and you cannot pick the loosest rule and hope. The workable strategy is strictest-wins: design the system to satisfy the union of the hardest requirements you will face across your regions, then relax a control for a specific region only when you can show it is safe there.

In concrete terms, the strictest-common-denominator baseline for a cross-region surveillance product looks like this: get explicit, opt-in consent before any biometric capture (required by Illinois, the EU, Quebec, and China); run a privacy/data-protection impact assessment before launch (EU, Quebec, increasingly expected elsewhere); minimise data and prefer on-device or count-only analytics so identifying footage is not retained by default (the technique set in face masking, redaction, and privacy-preserving analytics); keep clear notice and signage; cap retention to the shortest defensible window, covered in retention limits and lawful deletion; and store regional data where the strictest region requires (China's local-storage mandate is the forcing case). Build that once and most regions are already satisfied.

The reason strictest-wins pays is that the worst-case region sets your exposure, and the gap between getting it right and getting it wrong is enormous. Walk one number. Suppose a retailer enrols face templates for 50,000 shoppers and rolls the feature into Illinois without the written consent BIPA requires. BIPA's statutory damages run from $1,000 per violation for negligence to $5,000 for intentional or reckless violation:

negligent exposure   = 50,000 people × $1,000 = $50,000,000
intentional exposure = 50,000 people × $5,000 = $250,000,000

Now design the same feature the strictest-wins way — match on the device and keep no stored face template, or gate enrolment behind explicit consent — and the biometric exposure in that worst-case region drops toward zero, because there is no unlawfully captured template to sue over. (The full BIPA accrual mechanics, including how courts have counted "per scan," live in the BIPA article; the figures here are illustrative of the scale, not a per-site prediction.) The arithmetic is why a feature you could ship freely in much of the US still gets designed to the Illinois-and-EU floor: one strict region governs the whole rollout.

Strictest-wins: take the hardest requirement from each region as the baseline, then relax per region only where proven safe. Figure 4. Strictest-wins in practice. The baseline is the union of the toughest requirements; per-region relaxation is the exception you justify, not the default.

Common mistake: treating "strictest-wins" as "build for the EU and you're done." The EU is the strictest on consent and biometrics, but it is not strictest on everything. China imposes a data-residency rule the EU does not, and Illinois imposes a private-right-of-action litigation risk the EU does not. Strictest-wins means taking the hardest requirement on each axis from whichever region is toughest on that axis — consent, residency, retention, enforcement — not copying one region wholesale.

Data residency and cross-border transfer: where the bytes are allowed to live

One axis deserves its own note because it shapes architecture, not just paperwork: where recorded data is physically allowed to sit. The EU restricts moving personal data outside the European Economic Area unless a transfer mechanism (an adequacy decision, or standard contractual clauses) is in place — so a cloud region matters legally, not just for latency. China goes further for facial data, defaulting to local storage and forbidding internet transmission unless specifically authorised. The US, lacking a federal law, imposes no general residency rule, but sectoral and contractual requirements can.

For a multi-region VMS this usually means a regional-storage architecture: keep each region's footage and any biometric templates within that region, and move only minimised metadata across borders when you must. The deployment-model choices behind that — on-premise, regional cloud, or hybrid — are the subject of on-prem, cloud, and hybrid VMS; the regulatory point is that residency law, not engineering preference, often decides which one you can use in a given country.

Data residency map: EU transfer mechanisms, China local-storage mandate, and minimised metadata crossing borders. Figure 5. Residency shapes architecture. Keep regional footage and templates in-region; move only minimised, non-identifying metadata across borders.

Common mistake: choosing a cloud region for latency and ignoring residency law. Putting EU camera footage in a US region without a valid transfer mechanism, or moving Chinese facial data offshore, is a compliance failure no matter how good the latency is. Decide storage location from the strictest residency rule first, then optimise performance within that constraint.

Where Fora Soft fits in

Building one surveillance product that ships into several regions is mostly an architecture problem disguised as a legal one: the law decides where data may live, what consent must precede capture, and which analytics can run, and the system has to express those decisions as defaults — regional storage, consent-gated enrolment, on-device or count-only analytics, retention caps — rather than as policies nobody enforces. Across 20+ years and 625+ projects in video surveillance, computer vision, streaming, and real-time video, our experience is that the systems that survive a cross-border rollout are the ones designed to the strictest-wins baseline from day one, because retrofitting consent, residency, and minimisation after launch is far more expensive than building them in. We lead with how a system behaves under real regulatory load — realistic accuracy ranges, auditable consent, data that stays where it must — then the capability.

What to read next

Call to action

References

  1. GDPR — Regulation (EU) 2016/679, Article 3 (territorial scope), European Union. Extraterritorial application to organisations outside the EU that offer goods/services to, or monitor the behaviour of, people in the EU. https://gdpr-info.eu/art-3-gdpr/Tier 1 (primary law).
  2. GDPR Article 9 (special-category data) and Article 35 (DPIA), European Union. Biometric data used to identify a person is special-category, prohibited by default; high-risk processing needs a DPIA. https://gdpr-info.eu/art-9-gdpr/Tier 1 (primary law).
  3. EDPB Guidelines 3/2019 on processing of personal data through video devices (v2.0, 2020), European Data Protection Board. Video of identifiable people is personal data; public-space filming is still processing. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_enTier 1 (issuing-body guidance).
  4. EU AI Act — Regulation (EU) 2024/1689, Article 5 and Annex III, European Union. Real-time remote biometric identification in public spaces by law enforcement prohibited (in force 2 Feb 2025); high-risk biometric duties timeline. https://artificialintelligenceact.eu/article/5/Tier 1 (primary law).
  5. EU "Digital Omnibus" political agreement, 7 May 2026 — deferral of Annex III high-risk obligations to 2 December 2027, European Commission / co-legislators (pending formal adoption). https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-aiTier 1 (issuing-body).
  6. Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, State of Illinois. Written consent before biometric capture; private right of action; statutory damages $1,000 / $5,000 per violation. https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57Tier 1 (primary law).
  7. China — Security Management Measures for the Application of Facial Recognition Technology (CAC & Ministry of Public Security, effective 1 June 2025), with PIPL (2021). Local storage default; registration over 100,000 individuals; ban on compulsory face scans. https://www.chinalawtranslate.com/en/facial-rec-2025/Tier 1 (primary regulation, translated).
  8. India — Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 (notified 14 Nov 2025), Ministry of Electronics and Information Technology / Press Information Bureau. Phased commencement; core duties ~May 2027. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655Tier 1 (primary law).
  9. Australia — Privacy Act 1988, Australian Privacy Principle 3, and the Privacy and Other Legislation Amendment Act 2024, Office of the Australian Information Commissioner. Biometric templates are "sensitive information"; statutory tort added 2024. https://www.oaic.gov.au/privacy/australian-privacy-principlesTier 1 (primary law).
  10. Canada — PIPEDA, and OPC Guidance on the use of biometrics (private sector), 11 August 2025; Quebec Law 25, Office of the Privacy Commissioner of Canada / Commission d'accès à l'information. Consent, appropriate purpose; Quebec PIA + advance regulator notification. https://www.priv.gc.ca/en/privacy-topics/technology/biometrics/Tier 1 (issuing-body guidance + primary law).
  11. Brazil — Lei Geral de Proteção de Dados (LGPD), Lei nº 13.709/2018; ANPD biometric consultation (2025), Autoridade Nacional de Proteção de Dados. Biometric data is sensitive personal data. https://www.gov.br/anpd/Tier 1 (primary law).
  12. UK — Data Protection Act 2018, UK GDPR, and the Data (Use and Access) Act 2025; ICO video-surveillance guidance; Surveillance Camera Code of Practice, Information Commissioner's Office. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cctv-and-video-surveillance/Tier 1 (primary law + regulator guidance).
  13. US state comprehensive privacy laws (2026) and dedicated biometric statutes (Texas CUBI; Washington HB 1493) — orientation on the ~20-state patchwork and biometric-as-sensitive treatment. Tier 5 (analyst orientation; named statutes are tier 1).