The High Court of England and Wales (“Court”) in the case of R (Bridges) v. Chief Constable of South Wales Police, recently ruled the use of facial recognition technology to be legal. The Court was tasked with deciding whether the existing legal regime in the United Kingdom was sufficient to ensure the appropriate and non-arbitrary use of automated facial recognition technology (“AFR”) in a free and civilised society. This case marks the first time any court in the world considered AFR.

Brief facts of the case:

The claimant, a civil liberties campaigner living in Cardiff challenged the lawfulness of using “ARF Locate” by the South Wales Police (“SWP”). ARF Locate was an AFR which involved the deployment of surveillance cameras to capture digital images of members of the public, which were then processed and compared with digital images of persons on watchlists compiled by SWP for the purpose of the deployment. The claimant claimed to have been caught on camera on multiple occasions by ARF Locate when he was out in public.

The key questions before the Court were as follows:

a. Whether the use of AFR was in accordance with the principles of Article 8 of the European Convention of Human Rights (“ECHR”)?

b. Whether the claimant’s data protection rights under both the Data Protection Act 1998 (“DPA 1998”) and Data Protection Act 2018 (“DPA 2018”) were breached by the use of the AFR?

Analysis and findings:

1. Whether the use of AFR was in accordance with the principles of Article 8 of the ECHR.

The claimant had a two-pronged argument:

a. Firstly, the deployment of AFR Locate was not in “accordance with law” as per Article 8(2) as the SWP did not have the power to deploy it in the first place and that even if the SWP’s use of AFR was not ultra vires, any interference with Article 8(1) rights was not subject to a sufficient legal framework such that it was capable of being justified under Article 8(2); and

b. Secondly, AFR’s legal framework lacked foreseeability, predictability and hence, legality.

The Court first considered if there had been an interference with the claimant’s rights under Article 8 of the ECHR. Article 8(1) of the ECHR guarantees the right to respect for private life, family life, home and correspondence; which public authorities cannot interfere with except in certain circumstances as provided in Article 8(2), such as; in accordance with the law and necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The Court, relying on judicial precedents, admitted that AFR technology engages the Article 8 rights of any person whose face was scanned or was at a risk of being scanned. AFR derived biometric data, as per the Court, was an important source of personal information and had an “intrinsically private” character.

With regards to the first claim of AFR Locate not being “in accordance with law”, the Court held that an absence of a specific statutory basis for the use of AFR Locate did not by that reason make it ultra vires. As per the Court, the police constables are creatures of common law who owe the public a common law duty to prevent and detect crime; therefore, common law affords the police sufficient powers as authority for use of AFR. The Court reiterated judicial precedents wherein it was held that under common law, police have the power to obtain and store information for policing purposes. The reason that the police did not need statutory powers in this regard was because these powers were always available to them under common law. The Court observed that the only issue was whether using cameras fitted with AFR technology to obtain the biometric data of members of the public in public by the police could be considered to be physically intrusive in nature. Holding the use of AFR to be no more intrusive than the use of CCTV in the streets, the Court stated that no physical entry, contact or force is necessary when using AFR Locate to obtain biometric data. It simply involves taking a photograph of someone’s face and the use of algorithms to attempt to match it with photographic images of faces on a watchlist. The Court concluded by stating that the police’s common law powers were “amply sufficient” in relation to the use of AFR Locate.

With respect to the claimant’s second claim, the High Court stated that there existed a clear and sufficient legal framework governing the usage of AFR Locate, spanning across three elements namely: (a) primary legislation; (b) secondary legislative instruments in the form of codes of practice issued under primary legislation; and (c) SWP’s own local policies.

For the primary legislations, the Court placed reliance on the DPA 2018, holding that it embeds key safeguards which apply to all processing of all personal data – including the biometric data processed when AFR Locate is used. Under Section 34(8) of the DPA 2018, the SWP as a data controller had to demonstrate compliance with the six data protection principles and the two safeguarding measures set out at Sections 35 to 42 of the DPA 2018. These principles apply to all operations which involve retention or use of personal data, thus, including AFR. The Court also drew attention to Section 35(3) of the DPA 2018 which set out specific conditions that must be met for “sensitive processing”, which included “processing … of biometric data for the purposes of uniquely identifying an individual”. The Court observed that the requirements arising under the DPA 2018 are mirrored in the Code of Practice on the Management of Police Information, issued by the College of Policing under Section 39A of the Police Act, 1996 and concluded that the circumstances in which AFR is used were, in this way, foreseeable. After perusing the current secondary legislative instruments and SWP’s local policies, the Court acknowledged that while the present framework for AFRs was not insufficient, the future development of AFR technology was likely to require periodic re-evaluation of the sufficiency of the legal regime.

Lastly, the Court applied the Bank Mellat four-part proportionality test developed in Bank Mellat v. Her Majesty’s Treasury (No 2), [2014] AC 700, to see if the interference with Article 8(1) rights was justified and if AFR met the criteria under the test. It held that firstly, SWP used AFR for a legitimate security aim; secondly, SWP’s use of AFR was rationally connected to the legitimate aim; thirdly, a less intrusive method could not have been used as CCTV could not have identified which people at events were on watchlists and fourthly, the use of AFR Locate struck a fair balance between the rights of the individual and the interests of the community and was not disproportionate.

2. Whether the claimant’s data protection rights under both the DPA 1998 and DPA 2018 were breached by the use of the AFR.

a. The claimant claimed a breach of Section 4(4) of the DPA 1998, which placed an obligation on data controllers “to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”. The first data protection principle, as set out in Part 1 of Schedule 1 to the DPA 1998, mandates personal data to be processed fairly and lawfully. The primary point of dispute was the extent to which using AFR Locate entailed processing personal data.

The Court observed that the definition of personal data under the DPA 1998 was “data which relates to a living individual who can be identified….” and stated that there were two ways to determine whether the data in the instant case could be considered as personal data; (i) indirect identification, and (ii) individuation. Relying on the individuation approach, the Court reiterated precedents wherein it was held that “identification for the purposes of data protection is about data that “individuates” the individual, in the sense that they are singled out and distinguished from all others”. The Court held that information recorded by AFR Locate individuated the claimant from other people and it singled him out and distinguished him from all others, therefore the information provided by AFR Locate did amount to “personal data”. However, as the Court had already held AFR Locate to be compatible with Article 8 of the EHRC, it concluded that AFR Locate’s use satisfied the conditions of lawfulness and fairness specified under the DPA 1998.

b. The claimant’s second claim revolved around whether the use of AFR Locate complied with the first data protection principle, i.e. sensitive processing of data for the purposes of “law enforcement” under section 35(3) of the DPA 2018. As per the claimant, (i) AFR Locate entailed “sensitive processing” in the manner provided under section 35(8) of the DPA 2018 and (ii) AFR Locate did not meet the requirements of section 35(5) of the DPA 2018 which dealt with the use of sensitive processing.

The Court first delved into whether AFR Locate entailed processing biometric data of members of the public “for the purpose of uniquely identifying an individual” to address the scope of sensitive processing where AFR Locate is used. Rejecting SWP’s submission that only the personal data of people on watchlists had been sensitively processed, the Court interpreted Section 35(8)(b) of the DPA 2018 to apply to both the biometric data for the people on the watchlist and to the biometric data of the members of the public. The Court observed that comparisons could only be made if each person was uniquely identified. Although SWP’s overall purpose was to identify the persons on the watchlist, in order to achieve that overall purpose, the biometric information of members of the public would also be processed so that each was also uniquely identified, i.e. in order to achieve a comparison.

With regards to sensitive processing of data by AFR Locate meeting the requirements under Section 35(5) of the DPA 2018, there were three requirements to be met; first, that “the processing is strictly necessary”; second, that the processing must meet at least one of the conditions in Schedule 8 to the DPA 2018; and third, that when the processing occurs “the controller has an appropriate policy document in place for the law enforcement purpose”. The Court analysed AFR’s compliance with each of the Section 35(5) requirements and concluded that, (i) the analysis of “strict necessity” was the same as that of proportionality under Article 8 of the EHRC; (ii) the processing of data by AFR Locate met the Schedule 8 criterion of a rule of law function, i.e. the duty to prevent and detect crime and (iii) the SWP had an “appropriate policy document” as was required under Section 42(2) of the DPA 2018.

The last claim under this head was SWP’s alleged contravention of Section 64 of the DPA 2018, which imposed an obligation on data controllers to undertake impact assessments of the proposed processing of personal data. The Court held that SWP was in compliance with the requirements of this section.

Decision of the Court:

In the end, the Court dismissed the claimant’s overall claim on all grounds. The Court stated that it was satisfied that the current legal regime was adequate to ensure the appropriate and non-arbitrary use of AFR Locate, and that SWP’s use to date of AFR Locate was consistent with the requirements of the data protection legislation.

This update has been contributed by Vinod Joseph (Partner) and Protiti Basu (Associate).