The expanding use of surveillance in Kosovo comes with weak oversight and growing privacy risks; stronger institutions and greater public awareness are required to strike the right balance between safety and freedom.
In mid-2025, Kosovo’s Information and Privacy Agency, IPA, used its new monitoring platform to scan the country’s digital infrastructure for exposed devices.
What it found were vulnerabilities in roughly 6,000 surveillance cameras in apartment buildings, private businesses, cafés, warehouses, and municipal facilities, many easily accessible online due to the use of weak passwords or outdated firmware.
“This showed us how fragile the system really is,” said Arbian Arifi, head of the Complaints Review Division at the IPA.
Following the scan, IPA began reviewing the findings and is now preparing “targeted measures based on the level of risk”, said Arifi.
“This will be the first time IPA takes a structured, risk-based approach to surveillance systems across the country.”
The discovery comes as surveillance has quietly become embedded in daily life across Kosovo.
IPA annual reports from 2022 to 2025 show that municipalities have installed cameras in public areas, schools and hospitals have adopted monitoring systems, and private businesses increasingly use CCTV not only for security but also at times to observe employees; also in residential buildings, systems are often installed without the consent of residents.
Kosovo’s embrace of surveillance, however, has outpaced the safeguards meant to regulate it.
As cameras proliferate across both the public and private sectors, institutional oversight struggles to keep up, exposing citizens to weak accountability, systemic vulnerabilities, and growing risks to their privacy and security.
Protections on paper
Kosovo regulates video surveillance through the Law on the Protection of Personal Data, which incorporates core principles from the EU General Data Protection Regulation, GDPR, including lawfulness, necessity, proportionality, and transparency. A dedicated subchapter outlines the obligations of controllers who operate surveillance systems.
Under the law, every CCTV system must be registered with the IPA, accompanied by visible signage informing the public that monitoring is taking place, and limited to a maximum 30-day retention period for footage.
Surveillance is permitted only within the perimetre of the controller’s property; filming beyond those boundaries, storing footage indefinitely, or operating without notice is unlawful.
Workplace surveillance is allowed only when strictly necessary and may not cover sensitive areas such as restrooms or changing rooms. Employers must notify staff in writing before any monitoring begins. In apartment buildings, cameras can be installed only with the approval of at least 70 per cent of residents, and footage may not be transmitted online or broadcast beyond the building.
Public institutions may use cameras solely to secure their premises, while surveillance of open public spaces is the exclusive jurisdiction of the police. The Kosovo Intelligence Agency, KIA, may conduct surveillance only with prior court authorisation.
Patterns of misuse
According to IPA annual reports, between 2023 and mid-2025 the agency received 94 complaints concerning surveillance systems, representing roughly one-quarter of its caseload.
These complaints show a clear pattern: disputes in collective housing, private homes filming neighbouring property or public streets, and businesses monitoring employees or public areas without legal basis.
“Collective housing remains our biggest challenge,” said Arifi. “Most complaints come from apartment buildings where systems are installed without the required resident consent.”
Maintenance companies and building owners frequently install cameras without securing the 70 per cent resident approval required by law, leading to conflicts among tenants and repeated IPA intervention.
Private homes create similar issues: cameras are often positioned illegally toward adjacent property or directly at public streets. The IPA regularly refers these cases to the police, which responds in more than 90 per cent of referrals. These disputes illustrate how easily personal surveillance devices can be misused in residential settings, often without awareness of the legal boundaries.
Misuse also appears in the workplace and education sector.
In December last year, the IPA fined Universum College 8,000 euros for installing cameras in classrooms and restrooms, one of the biggest fines levied against a private institution and highlighting the risks of intrusive monitoring in environments where individuals have a heightened expectation of privacy.
Public-sector misuse has surfaced as well.
In March 2022, the IPA ordered the Municipality of Pristina to suspend cameras placed in public spaces, reaffirming that only the police may monitor open public areas.
The same year, police removed more than 50 unregistered cameras in predominantly Serb-populated northern Kosovo, where residents complained they had no idea who controlled the cameras or for what purpose.
Together, these cases show a consistent pattern: surveillance misuse spans private, public, and residential settings, and IPA interventions are largely reactive, occurring only once violations escalate into complaints.
Oversight and enforcement
The IPA has the power to investigate complaints or open cases on its own initiative.
According to Arifi, inspections begin with checking the basics:
“We look at whether cameras are capturing prohibited areas, whether signage is in place, and whether controllers are respecting the 30-day retention limit,” said Arifi.
Inspectors may also review a system’s digital video recorder to verify how it operates.
“The first measure is a warning and an order for improvement,” said Arifi. “Reducing the perimetre, correcting the signage, or, in biometric cases, stopping processing altogether. There are situations where we suspend processing until legal criteria are met.”
Beyond enforcement, the IPA has issued guidelines, templates, and standardised signage to help institutions comply. These tools are intended to translate legal requirements into practice, but implementation remains uneven. Many controllers still install systems without internal authorisation, adequate signage, or lawful scope – reflecting a widespread perception that surveillance is simply a normal security measure rather than a regulated activity.
The IPA’s ability to oversee all controllers is limited.
With only six inspectors covering the entire country, the Agency relies heavily on complaints rather than proactive monitoring. As Arifi noted, many infringements go unreported because citizens are often unaware of their rights. This means that unlawful systems may remain in place for long periods before anyone challenges them.
Civil society findings underscore these gaps. A 2024 review by Levizja FOL, an NGO promoting transparency and accountability in public institutions, found that out of 105 public institutions, 92 had appointed data protection officers, but 82 had not published privacy policies, leaving major transparency obligations unfulfilled. Even when institutions meet formal requirements, substantive compliance remains inconsistent.
Dispersed, unregulated practices
Across the Western Balkans, surveillance has increasingly shifted toward state-centric systems, combining large-scale monitoring with weak transparency and limited oversight.
In Serbia, for example, The Guardian reported in December 2024 that authorities had deployed Israeli-made spyware against activists and journalists.
Albania’s ‘Smart City’ project doubled in cost while expanding its surveillance reach without public explanation, according to a 2025 report by Tirana Times. BIRN’s Surveillance and Censorship in the Western Balkans report described these developments as part of a broader regional trend in which fragile democracies adopt powerful surveillance tools with few protections against misuse.
Kosovo is in a different position: the police remain the only authority legally permitted to monitor public space; the IPA has not registered any complaints claiming unlawful monitoring by the police; and when municipalities, including in the capital, tried to install cameras in public spaces, the IPA ordered them to suspend their use.
These actions reflect a notable distinction: Kosovo has not pursued centralised, state-led surveillance programmes of the sort emerging elsewhere in the region. Instead, the most significant risks stem from dispersed, unregulated practices by private actors, businesses, and individuals.
In this sense, most of Kosovo’s current risks come from dispersed, bottom-up practices rather than centralised systems.
Surveillance is especially problematic in northern Kosovo, where political tensions shape both its use and its impact. Here, surveillance carries a distinctly political dimension, with installations perceived as tools of intimidation rather than security.
New vulnerabilities
Kosovo is currently undergoing a wider digitalisation of public services, a process that brings both opportunities and new vulnerabilities.
As digital systems expand, so does the possibility that surveillance technologies such as automated CCTV analytics or facial recognition could be integrated into institutional workflows. Regional trends show how quickly such tools can be misused, such as in Serbia and Albania.
Civil society activists warn that these risks are likely to intensify.
Adison Gara, programme director at the Institute for Technology and Society, noted that surveillance by citizens and businesses will grow as equipment becomes cheaper and “smart” features more accessible.
Gara emphasized that both public and private institutions have neglected cybersecurity, leaving systems exposed.
“Unless more resources are directed toward cybersecurity, privacy will continue to be infringed, not because of malicious intent alone, but because the infrastructure itself is insecure,” said Gara.
Mexhide Demolli-Nimani of Levizja FOL said transparency must improve if these risks are to be contained.
“Institutions should publish the locations of cameras, explain their purpose and retention periods, conduct privacy impact assessments, and report regularly to the public and the Assembly,” she said.
Preventing Kosovo from drifting toward the state-centric surveillance model emerging elsewhere in the region requires firm and clearly defined safeguards: public-space monitoring must remain exclusively with the police, but under strict legal limits, transparent oversight, and narrow, well-justified purposes to prevent overreach; as digital public services expand, privacy protections must be built into every new system from the start – not added later to contain emerging risks; and institutions and businesses must recognise that surveillance is a regulated activity, not an informal security measure, and ensure that cameras are used only when necessary, proportionate, and clearly documented.
Above all, Kosovo needs real investment in cybersecurity. Without secure infrastructure, even basic cameras become points of vulnerability, exposing citizens to intrusion and eroding trust in digital systems.