Today, in a seminal judgment handed down in relation to a claim for judicial review brought by Mr Edward Bridges, the High Court ruled that the South Wales Police use of live facial recognition technology (‘FRT’), which has been trialled since 2017 was lawful even though no specific FRT law was or is in existence. The Court suggested this is the first legal challenge of its kind to be brought anywhere in the world.
Whilst it is crucial to recognise that the judgment is fact-specific, it appears that the Court found that the South Wales Police have deployed this technology in a proportionate and measured way, against a background in which Elizabeth Denhan, the Information Commissioner, expressed her deep concern about the rollout of live facial recognition technology by law enforcement and suggested in the proceedings that the categories of persons in the ‘watchlist’ with which the collected data was to be compared must be specified in law.
The key findings of the Court were as follows:
- An image of a person’s face is ‘personal data’ for the purposes of the data protection legislation;
- FRT involves the creation and processing of a biometric picture of an individual which requires ‘sensitive processing’;
- Such processing affects an individual’s privacy rights created by the ECHR and protected in the UK by the Human Rights Act 1998: it is more than taking a photograph in a public space;
- Such processing can be, and in this case was, compliant with ECHR privacy rights and data protection obligation on those collecting and processing personal data. In this instance this was because, in the context of historically wide common law powers available to the police to gather and use information to protect the public and keep the peace, the deployment of the technology by the South Wales Police has been in compliance with the Data Protection Act 2018; in adherence to the Surveillance Camera Code of Practice (as secondary legislation); and in accordance with extensive policies and procedures adopted by them – taken together these were considered by the Court together to be “legally enforceable standards”.
The judgment does not explore whether the policies and procedures adopted currently by the South Wales Police are watertight, but it does recognise the need to periodically review the legal framework in future (whilst at the same time, specifically noting that, in respect of the South Wales Police’s standard operating procedures, future improvement or alteration “is not evidence of present deficiency”).
The Court’s judgment dealt only with the use of FRT by law enforcement, limited to the specific facts of the South Wales Police trials; it left open the door to future challenges on human rights grounds. The judgment does not deal directly with the use of FRT in quasi-public spaces such as shops and retail parks which has aroused recent media controversy. However, the Court’s conclusions may contain important lessons for private entities seeking to legally deploy FRT for legitimate commercial reasons, at least as far as confirming FRT needs to operate squarely within data protection requirements.
Notwithstanding the fact that Mr Bridges, represented by ‘Liberty’, immediately announced his intention to appeal the Court’s findings, it is likely that other law enforcement agencies will see this judgment as a green light to develop and deploy live facial recognition technology for law enforcement purposes. For the moment, the judgment makes it clear that the focused use of the technology as a tool to assist the police in apprehending individuals wanted on suspicion of having committed an offence; those who are known protestors who had committed previous criminal offences; and those who may be considered to pose a risk of harm to themselves, is permissible in assisting police officers to carry out their duty to protect the public and keep the peace.
If you’d like to discuss any of the issues raised in this article, please contact us in the strictest confidence.
Julian Hayes is a Partner specialising in all aspects of corporate crime and regulatory work. As well as dealing with high profile fraud and corruption matters, including investigations with an international dimension, he has considerable experience of advising corporates on data protection and cybercrime issues.
Michael Drury is a partner at BCL with a diverse practice, ranging from extradition to representing individuals in regulatory proceedings brought by the FCA; acting in criminal investigations by the SFO; and is a leading expert on surveillance and investigatory powers as well as information law and cybercrime.