May a municipality deploy ANPR cameras against cut-through traffic?

The deployment of Automatic Number Plate Recognition (ANPR) cameras by local governments to enforce traffic rules is increasing exponentially. A decision by the Belgian Data Protection Authority (DPA) of March 12, 2026 (No. 56/2026), however, makes it clear that municipalities should not simply use this technology as a panacea. Protecting citizens' privacy requires a watertight legal basis, a strict proportionality test and impeccable technical security. Absent these, the data processing is unlawful and exposes the government to penalties.

The facts

The case revolves around a local project, called “Less traffic, better living,” through which the municipality of Dilbeek sought to combat creeping traffic via a permit system and ANPR cameras. The municipality introduced an access ban, indicated by the traffic sign C3, which applied during rush hours.

To make the system workable, the municipality worked with a so-called whitelisting or permit list. Following categories received or could apply for permits:

• Residents and merchants living or working in the permit zone.
• Visitors to these residents and merchants, subject to registration by the resident or merchant.
• Service, municipal and waste management vehicles.
• Healthcare providers, such as doctors, home health aides and physical therapists.

When an unlicensed vehicle crossed the zone during prohibition hours, the ANPR cameras automatically recorded it as a violation.

In response, a resident of the municipality filed a complaint with the DPA. He claimed that the deployment of the cameras was excessive and refused to divulge his personal data (and that of his visitors) in order to be allowed to drive through the neighborhood, forcing him to travel only by bicycle.

The decision of the Data Protection Authority

The DPA's Litigation Chamber ruled harshly, finding several serious violations of the General Data Protection Regulation (GDPR) and national law. The municipality received an official reprimand for this. The main findings are:

• No valid legal basis (Article 6.1.e GDPR): The municipality invoked its public interest mission, but could not show that it had made the required trade-off between the necessity of the project and the privacy interests of citizens beforehand.
• Violation of data minimization and privacy by design (Art. 5.1.c and 25 GDPR): The municipality did examine traffic calming alternatives, but did not test beforehand whether the goal could be achieved with less intrusive data processing.
• Excessive data retention and unauthorized linking: No clear retention period had been established for permit applications, and in practice data were retained for too long. Moreover, the DPA ruled that structurally linking and storing visitors' data together with residents' data constituted too far-reaching an intrusion into personal privacy.
• Unlawful consultation of databases: The municipality accessed the chassis number in the Crossroads Database of Vehicles (KBV/DIV) without having the proper authorization to do so.
• Inadequate logging (GAS Act and National Register Act): When consulting the Crossroads Bank of Vehicles and the National Register, the municipality was unable to produce the legally required, complete log files.
• Inadequate Data Protection Impact Assessment (DPIA): The DPIA carried out was totally inadequate. The systematic consultation of the National Register was not mentioned, the data flows around visitor registration were missing, and the risks to the rights of data subjects were not correctly assessed.

Legal analysis and interpretation

This decision is an important precedent regarding the limits of local enforcement through technology. The Litigation Chamber stressed that the deployment of ANPR systems is large-scale, continuous and often untargeted, significantly increasing the risk of far-reaching infringements on fundamental rights compared to traditional surveillance.

The process interest: behavior modification is sufficient

A most notable legal aspect of this ruling is the assessment of the complainant's litigation interest. The municipality argued that the complainant had no actual or personal interest since his data was not effectively processed (after all, he no longer drove his car through the zone). The DPA, following case law from the Court of Cassation and the Court of Justice, rejects this defense. The fact that a citizen must modify his behavior in public spaces (such as avoiding the neighborhood) in order to avoid infringing data processing is more than sufficient to have a legitimate interest in a complaint. This opens the door for proactive complaints by empowered citizens against encroaching camera networks.

The proportionality test and legal basis

For legal experts, the analysis of the legal basis (Art. 6.1.e GDPR) is important. A local government cannot merely refer to its general competence regarding “safe and smooth traffic flow” (as art. 135 §2 of the New Municipal Law) as a blank check for mass surveillance. The legislative norm must define the essential characteristics of the processing. If it does not, the burden of proof shifts to the data controller: the municipality itself must make a prior, explicit and documented assessment of the necessity of the processing and the privacy rights. Without this documented assessment, the processing is de facto unlawful. This fits perfectly with the autonomous European concept of ‘necessity’ as formulated in the Huber- and Schecke-rulings of the Court of Justice.

Strict requirements for consultation of authentic sources

Finally, this ruling brings into sharp focus a pain point in the cooperation between governments and IT vendors. Local governments bear ultimate responsibility for the legal obligations regarding IT security and logging, as set forth in Article 19/1 of the GAS Act and Article 17 of the National Register Act. That an IT sub-processor refused to update its systems because of its own “cost-benefit consideration” is not a valid excuse for the municipality. Indeed, these security breaches led to an order for immediate suspension of the camera project by the Inspection Service during the investigation.

What this means in practice

This decsion has significant implications for all parties involved in local traffic enforcement:

• For local governments (cities and towns): It is time for an urgent vetting of all ongoing and planned ANPR projects. A thorough, prior and comprehensive Data Protection Impact Assessment (DPIA) is absolutely mandatory. This must prove why physical barriers (such as retractable bollards) or occasional police checks are not sufficient. Contracts with IT vendors should also be reviewed to require conclusive guarantees around legal logs and data minimization.
• For citizens and interest groups: You do not have to wait to be unjustly fined. The mere presence of a privacy-infringing camera system affecting your mobility behavior is sufficient grounds to take action with the appropriate regulators.
• For IT vendors and processors: ‘Privacy by design’ is not a dead letter. By default, software should be built so that retention periods expire automatically, that visitor data does not remain uselessly linked to residents, and that consultations of government databases are meticulously logged (who, what, when and why).

Frequently asked questions (FAQ)

May a municipality use ANPR cameras for traffic enforcement?
Yes, but only under strict conditions. The municipality must document in advance why the deployment of cameras is absolutely necessary and proportionate in relation to the privacy of the citizen. This is preferably documented in a conclusive Data Protection Impact Assessment (DPIA). There must also be strict technical safeguards regarding data minimization and security.

Can I, as a citizen, file a complaint against an ANPR camera on my street even if I have not received a fine?
Yes. Case law states that you have a personal and legitimate interest once you have to modify your behavior in the public space (e.g. choose a different route or leave the car) to escape the unwanted processing of your personal data by the camera.

What are the rules around linking and retaining visitor license plates in a permit zone?
Data should not be kept longer than strictly necessary. Moreover, the Data Protection Authority ruled that the standard linking and joint retention of a visitor's license plate to a local resident's personal data constitutes an excessive and unlawful invasion of privacy.

Conclusion

The deployment of new technologies by the government increasingly clashes with fundamental privacy rights. Are you as a (Belgian or Flemish) government working on a ‘smart city’ project or the implementation of ANPR, or are you as a citizen or company confronted with disproportionate monitoring systems? Then timely and specialized legal advice is indispensable to avoid costly mistakes or breaches.