Sweden IMY Reprimands Securitas over AI Driver Cameras | TLY

AI Regulation Tracker  /  Enforcement action

Sweden's Data Authority Faults Securitas Over AI Cameras That Watched Its Drivers

On June 16, 2026, Sweden's data protection authority, IMY, reprimanded Securitas Sverige AB for in-vehicle cameras that used image analysis to monitor drivers in real time. It found the company had no valid legal basis under GDPR. This is a binding enforcement decision, not a fine, and it puts a marker down on AI-driven workplace surveillance.

The Leveraged Years AI Regulation News

On June 16, 2026, IMY published a decision against Securitas Sverige AB, one of the country's largest security companies, over cameras it had installed inside some of its patrol vehicles. The cameras were pointed at the driver. They did not just sit there as a passive dashcam. They ran image analysis on the driver's behavior while the vehicle was moving, and the system could push warnings to both the driver and the employer based on what it saw. During one stretch of the period IMY looked at, the setup also recorded.

The regulator's conclusion was that this crossed a line. IMY found that Securitas did not have a lawful basis under the GDPR for that kind of monitoring, and it issued the company a reprimand. In IMY's words, "Vi har funnit att det här är en ingripande form av bevakning" (we have found that this is an intrusive form of monitoring). The authority added that "det krävs starka skäl for att bevakning av det här slaget ska vara tillåten" (strong reasons are required for monitoring of this kind to be permitted). Securitas could point to no such basis that survived the analysis.

What the regulator actually decided

Here is the core of it. Under the GDPR, you cannot process personal data unless you have one of the lawful bases in Article 6. Employers most often reach for legitimate interests, which lets you process data where your interest is real and is not overridden by the rights and freedoms of the people you are watching. That test is a balancing act, and the balance tips against you the more intrusive the processing gets.

Continuous camera monitoring of a worker inside their vehicle, with AI reading their behavior and flagging it, sits at the intrusive end of that scale. IMY treated it that way. The company's stated purpose, framed around safety and oversight, did not on its own carry enough weight to outweigh the privacy intrusion on the drivers. Without a lawful basis that held up, the processing was unlawful, and the reprimand followed.

Two things are worth being precise about. First, this is an enforcement decision, a formal finding that the company broke the rules, not a soft advisory or a piece of guidance. Second, the corrective tool IMY chose here was a reprimand rather than a fine. Under the GDPR a reprimand is a real enforcement measure, and it establishes on the record that the monitoring was unlawful. It does not carry a monetary penalty in this instance, but it is not a slap on the wrist you can ignore. A company that keeps running an activity a regulator has formally found unlawful is inviting a much harder second visit.

Why the AI part matters

Plenty of employers have run cameras in vehicles for years. What sharpens this case is that the system was not just capturing footage for later. It was analyzing the driver in real time and generating warnings off that analysis. That is the feature that turns a camera into a behavioral monitoring tool, and it is exactly the capability that vendors now sell into fleets as an AI safety upgrade.

The reason that matters for the legal test is simple. The more the technology continuously assesses and reacts to a person, the more intrusive the processing becomes, and the higher the bar for justifying it. An AI system watching a worker throughout their shift and nudging them on their conduct is a long way from a dashcam you only pull footage from after a crash. IMY's decision is a signal that regulators will treat the AI-driven, always-on version as the more serious intrusion, and will expect a correspondingly stronger justification.

What this means for US employers and their counsel

Start with the honest caveat. IMY is a Swedish regulator applying the GDPR. If your workforce and your data sit entirely in the United States, this decision does not bind you, and there is no Article 6 legal-basis requirement hanging over a purely domestic US operation.

Now the part that does travel. A lot of US companies are not purely domestic. If you run drivers, deliveries, or field crews in the EU or UK, or you process the personal data of EU-based workers, this is your regime, and this decision tells you how at least one supervisory authority reads AI driver monitoring. The safety-first pitch that vendors lead with is not, by itself, a legal basis. You need a documented balancing assessment, a narrower and less intrusive configuration where possible, worker transparency, and a real answer to the proportionality question before you switch the analytics on.

Even for the domestic-only employer, the direction of travel should register. US worker-surveillance law is a patchwork, but it is filling in. Several states restrict electronic monitoring notice, biometric-privacy statutes reach face and behavior analysis, and the NLRB and state agencies have been circling algorithmic management of workers. The Securitas decision is a clean example of the analysis regulators are gravitating toward: continuous AI monitoring of employees is treated as intrusive, and the burden is on the employer to justify it, not on the worker to object. Counsel advising on any AI driver-monitoring, dashcam-analytics, or productivity-surveillance rollout can use this as a concrete data point for why a safety label is not a compliance strategy.

What to do now

If you are deploying or already running AI-based monitoring of workers, inventory it first. Know which systems analyze behavior in real time, what they capture, who sees the warnings, and whether anything is recorded and retained. For any EU or UK exposure, write down your lawful basis and your proportionality assessment before, not after, a regulator asks. Configure for the least intrusive version that still does the job, tell workers plainly what is being monitored and why, and keep a named owner accountable for the program. And do not let the vendor's safety framing stand in for your legal analysis. The Securitas decision is the regulator saying, out loud, that it will not either.

Questions professionals are asking

Did IMY fine Securitas?

No. IMY issued a reprimand, which is a formal enforcement measure under GDPR Article 58(2)(b), not an administrative fine. It is a binding finding that the monitoring was unlawful, but it did not carry a monetary penalty in this decision.

What exactly did the cameras do?

They were installed inside certain Securitas vehicles and pointed at the driver. The system used image analysis to assess the driver's behavior in real time and could send warnings to both the driver and the employer, and for part of the period it also recorded. IMY treated this continuous, AI-driven monitoring as an intrusive form of surveillance.

Why did the monitoring fail the legal test?

Under the GDPR, processing personal data needs a lawful basis under Article 6, and for legitimate interests the employer's interest must not be overridden by the workers' rights. IMY found the monitoring intrusive enough that Securitas's stated purpose did not justify it, so there was no valid legal basis and the processing was unlawful.

Does this decision apply to US employers?

Not directly for a purely domestic US operation, which has no GDPR Article 6 obligation. But if you process the personal data of EU or UK workers, this regime applies and the decision shows how a regulator reads AI driver monitoring. For domestic-only employers it is a persuasive benchmark as US worker-surveillance and biometric-privacy law tightens.

Can we still use AI dashcams or driver monitoring?

Potentially, but not on the strength of a safety label alone. The decision points to documenting a lawful basis and a proportionality assessment, configuring the least intrusive setup that meets the need, being transparent with workers, and keeping the program accountable. Confirm your specific approach with qualified counsel in the relevant jurisdiction.

RELATED BRIEFINGS

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any law or enforcement decision applies to your situation with qualified counsel in the relevant jurisdiction.