Skip to content
Chimera readability score 75 out of 100, Expert reading level.

In some stores across Estonia, security camera footage is also monitored by artificial intelligence, which analyzes shoppers' behavior patterns. However, the technology is not yet widely used.
Retailers around the world have begun adopting artificial intelligence to make it easier to detect shoplifting. Connecting AI to an existing video surveillance system typically does not require new cameras and the algorithm analyzes behavioral patterns that might go unnoticed by security staff.
While the use of AI to monitor people has raised privacy concerns, the law does not distinguish between footage monitored by a person and footage monitored by AI.
"The General Data Protection Regulation (GDPR) and other laws governing the processing of personal data are technology-neutral. This means the same principles apply regardless of the technology used. If data processing is lawful without artificial intelligence, it does not become unlawful simply because AI is used," the Data Protection Inspectorate explained.
The clearest legal boundary concerns real-time facial recognition. For example, stores are generally not permitted to use a facial recognition system that would alert security personnel when someone previously convicted of shoplifting enters the premises. As early as 2024, Estonian retailers identified facial recognition cameras as a potential way to catch repeat shoplifters, but the Data Protection Inspectorate pointed out that the law does not allow their use for that purpose.
Several retailers across Europe have disclosed that they use AI as part of their video surveillance systems. Among Estonia's largest retail chains, however, interest has been relatively limited, with only Prisma confirming that it uses artificial intelligence in this way.
Prisma using AI in surveillance since 2022
"Prisma uses artificial intelligence in its stores as a tool to support video surveillance, primarily to help identify potential anomalies in customer behavior and draw the attention of security staff to situations that require further review," said Alar Olup, head of security for the supermarket chain.
According to Olup, implementing AI has improved the detection of violations and made the security department's work more efficient. He said AI is particularly useful in situations where it is necessary to identify behavior that deviates from normal patterns.
"At the same time, the system does not make final decisions on its own as every finding generated by the program must be reviewed and validated by a person," Olup emphasized.
He added that modern video surveillance and security systems increasingly support AI integration, with some solutions offering more advanced capabilities than others.
The use of AI does not mean people will disappear from security work. "Human judgment is still required to confirm an incident. If necessary, a security employee must intervene, complete the required documentation and, in the event of a violation, hand over the case materials to the police," the security chief said.
Maxima did not specify to what extent it uses AI in its video surveillance systems.
The company's head of security said that shoplifting and the methods used to detect it involve internal procedures and confidential information that the company does not comment on publicly. "We use AI to identify shoplifting cases and anomalies in our systems related to purchases, cash handling and similar activities," said Jaanika Terasmaa, the company's sales and marketing director.
Rimi, Selver and Lidl do not rely on AI in video surveillance
Mariann Järvela, communications manager for Selver, said the retail chain keeps up with the solutions available on the market and has been introduced to such technologies, but has so far decided to continue using its conventional video surveillance system.
"When implementing solutions like these, companies must take current data protection requirements into account. They place clear limits on the use of technological measures," she said.
Rimi's head of marketing and communications, Madis Eesmaa, emphasized that the chain does not use AI systems in its video surveillance and has not tested them either.
Lidl has also not adopted AI for its video surveillance, though it has not ruled out doing so in the future.
"While our current security and surveillance systems already provide a consistently high level of safety for both customers and employees in our stores, we are always open to evaluating new technologies from local and international service providers. I would also add that, because Lidl is part of a large international network, it cannot be ruled out that such solutions will eventually be introduced here as well," said the company's security specialist, Arvo Parve.
Coop had not responded to ERR's request for comment by the time this article was published.
Data could end up in third countries
The Data Protection Inspectorate noted that many AI-based solutions currently on the market may transmit the data they process to third countries for further processing.
"In such cases, the requirements of the General Data Protection Regulation apply in the same way as they do to any other transfer and processing of personal data. If camera footage contains personal data, the data controller must ensure that the processing is lawful and that the rights of data subjects are protected. Depending on the solution being used, this may include permanently blurring faces before the data is transmitted or using other technical measures that reduce the possibility of identifying individuals," the Data Protection Inspectorate said.
--
Editor: Marcus Turovski

Facts Only

* Artificial intelligence is used in some Estonian shop video surveillance systems to analyze shopper behavior patterns.
* Retailers globally are adopting AI to detect shoplifting.
* Connecting AI typically uses existing video surveillance systems.
* The General Data Protection Regulation (GDPR) and related laws are technology-neutral concerning data processing.
* Use of AI does not automatically make data processing unlawful if it is lawful without AI.
* Estonian law restricts the use of facial recognition to alert security about prior shoplifters.
* Prisma uses AI to identify potential anomalies in customer behavior and draw security attention, requiring human review.
* Maxima uses AI to identify shoplifting cases and anomalies related to purchases and cash handling.
* Selver, Rimi, and Lidl do not currently rely on AI for video surveillance.
* AI-based solutions may transmit processed data to third countries for further processing.

Executive Summary

Artificial intelligence is being adopted in some Estonian retail video surveillance systems to analyze shopper behavior patterns, although widespread use remains limited. Retailers globally are exploring AI integration for detecting shoplifting, which connects with existing video systems without requiring new cameras and analyzes behaviors security staff might miss. The legal framework governing data processing, including the GDPR, applies equally to footage monitored by humans and by AI, as the principles are technology-neutral. Facial recognition remains a specific area of concern; Estonian law currently restricts using facial recognition systems for purposes such as alerting security about prior shoplifters. Some major Estonian retailers, like Prisma, use AI primarily to identify behavioral anomalies to direct security attention, with the process requiring final human review and intervention. Other large chains in Estonia, such as Maxima, utilize AI internally to identify shoplifting cases and anomalies related to purchases. In contrast, other retail chains, including Rimi, Selver, and Lidl, have not implemented AI for video surveillance, though they remain open to future evaluation of new technologies. Furthermore, there is a noted risk that data from these AI systems may be transferred to third countries for processing, necessitating adherence to GDPR requirements regarding data transfer safeguards like blurring faces.

Full Take

The narrative presents a tension between technological capability and established legal/ethical boundaries. The core conflict lies in the application of technology versus privacy protection, complicated by the legal stance that current data laws are technology-neutral. The use case described—identifying anomalies to prompt human review rather than autonomous decision-making—presents a specific locus of control where AI acts as an assistant, not a replacement for human judgment. This distinction is crucial; autonomy in security decisions remains tethered to human intervention, mitigating some of the worst concerns associated with fully automated surveillance. The pattern observed is the incremental introduction of sophisticated monitoring tools into retail spaces, where adoption is uneven across the industry (Prisma uses it, others do not), highlighting a gap between global technological trends and localized regulatory implementation. A significant implication arises from the data transfer issue; even when processing is lawful in the originating jurisdiction, cross-border flows introduce complex jurisdictional risk under GDPR. The focus on facial recognition as the clearest legal boundary suggests that the primary regulatory challenge is defining the threshold for invasive monitoring rather than the technology itself. The missing context involves assessing whether the stated requirement for human validation is genuinely sufficient against sophisticated AI outputs, or if it functions more as a procedural hurdle than a true safeguard. What are the specific audit mechanisms ensuring that the "review and validation" step prevents systemic bias introduced by the initial AI pattern detection? What long-term societal costs accrue from normalizing this level of behavioral pre-screening in commercial environments?

Sentinel — Human

Confidence

The article effectively synthesizes regulatory information with specific retail examples, demonstrating the depth and nuance typically found in human-sourced, fact-based journalism.

Signals Detected
low severity: Moderate sentence length variance; appropriate use of complex legal concepts.
low severity: Logical flow connecting general AI adoption to specific Estonian regulations and company examples.
low severity: Citations from the Data Protection Inspectorate are integrated smoothly; specific quotes anchor the narrative.
low severity: Claims are directly tied to stated regulatory bodies (GDPR, DPA) and specific company confirmations/denials.
Human Indicators
Presence of nuanced legal explanation regarding GDPR application to technology neutrality.
Use of specific organizational quotes providing operational context (Prisma, Maxima), which is characteristic of investigative reporting.
Artificial intelligence used in Estonian shops' video surveillance systems — Arc Codex