UK: The UK High Court Finds Police Use Of Automated Facial-Recognition Technology Permissible

On 4 September 2019, the High Court in England and Wales rejected a judicial review claim brought by Edward Bridges, a civil liberties campaigner (the "Claimant") regarding the use of automated facial-recognition technology ("AFR") by the Chief Constable of South Wales Police's ("SWP").  The High Court dismissed claims that the use of AFR by SWP breached UK data protection laws and was contrary to the European Convention on Human Rights.  The High Court determined that the use of AFR constituted the processing of biometric data but that the SWP had established lawful grounds and had met the other legal requirements to process it. 

The decision sheds light on the types of processing activities that will constitute the processing of biometric data as well as the legal bases and other requirements that must be satisfied by businesses and other types of organisations in order to use AFR under the UK Data Protection Act 2018 and the European General Data Protection Regulation ("GDPR"). 

Background

The SWP has been using AFR Locate in public spaces since 2017 for crime-prevention purposes. When AFR Locate is deployed, images of the faces of members of the public moving within public spaces are taken from live CCTV feeds and are processed in real time to extract unique facial features to create templates for those individuals. Each template is then compared against templates of individuals on a police watch list.  The watch list templates were created from images held on databases maintained by SWP as part of ordinary policing activities.

The claim

The Claimant's claim related to SWP's use of AFR Locate in general and with respect to two particular instances where SWP used AFR Locate where the Claimant was present and his image was captured. The Claimant claimed that such use was contrary to Article 8 of the European Convention on Human Rights, the previous UK Data Protection Act 1998, the current UK Data Protection Act 2018 and the UK Equality Act 2010.

Was the use of AFR Locate contrary to the requirements of UK data protection legislation?

The Claimant brought claims under both the previous Data Protection Act 1998 and the current Data Protection Act 2018 ("DPA 2018"), which supplements the GDPR. None of the deployments by SWP of AFR Locate took place after the commencement of DPA 2018 but both parties requested the court consider the legality of the deployments of AFR Locate as if they had taken place after the commencement of DPA 2018.

DPA 2018

Under the DPA 2018, which supplements the GDPR in the UK by setting out the equivalent conditions and requirements under which personal data can be processed by public bodies for law enforcement purposes, the Claimant made two claims:

1. The first claim was that SWP had breached the first data protection principle under S.35 DPA 2018, which requires that the processing of personal data for any of the law enforcement purposes to be lawful and fair.

In deciding whether the first data protection principle had been complied with, the court considered the extent to which the processing by AFR Locate constituted "sensitive processing" under the law enforcement chapter of the DPA 2018 ("sensitive processing" is equivalent to the processing of special category personal data under the GDPR, which includes the processing of biometric data).

The first question for the court was, as a result of the manner in which AFR Locate collected facial images as well as generated and checked templates, whether the use of AFR Locate involved the collection and processing the biometric data of general members of the public in addition to biometric data relating to those individuals on the watch list.

SWP submitted that any processing of facial images by AFR Locate of members of the public was not "sensitive processing" because the purpose of AFR Locate was not to identify non matching members of the public recorded by CCTV but only to identify those that were on the watch list (i.e. only those individuals that matched a watch list template).

The court held that the collection and use of facial images relating to members of the public by AFR Locate did constitute "biometric data" and so was "sensitive processing".  The court decided that, although SWP's overall purpose was to identify the persons on the watch list, in order to achieve the overall purpose, each member of the public needed to be uniquely identified by processing their biometric information.  The court noted that the fact that facial biometric information is retained for only a very short period (except where a match is detected), does not affect this analysis.

The second question for the court was whether a legal ground could be relied upon under the DPA 2018 to process the biometric data; namely whether (a) the processing was "strictly necessary" for the law enforcement purpose; (b) whether one of the prescribed conditions that has to be satisfied for this purpose was met under Schedule 8 DPA 2018; and (c) whether there was an "appropriate policy document" that met the requirements of S.42 DPA 2018.

The court held:

  1. The processing was strictly necessary for the law enforcement purpose.  The court found that:
    1. The deployment of AFR Locate was to ensure the safety of the public and detect crime.  The event had previously attracted disorder and some of those involved in previous protests (who were on the watch list) had caused criminal damage and made bomb hoax calls. The apprehension of suspects wanted on warrant or on suspicion of having committed an offence in the South Wales area could not have been achieved using CCTV alone.  The use of watch lists was clearly targeted, being directed only to those people who need to be located for good reason and the evidence demonstrated that, during the trial period, the new technology had resulted in arrests or disposals where the individual in question had not been capable of location by previous methods.
    2. the two specific uses of AFR Locate that resulted in images being taken of the Claimant struck a fair balance and was not disproportionate in that AFR Locate was deployed in an open and transparent way, with significant public engagement and on each occasion, it was used for a limited time and covered a limited footprint. Any interference would be limited to the near instantaneous algorithmic processing and discarding of the Claimant's biometric data.  No personal data relating to the Claimant would have been available to any police officer, or to any human agent.  No data would be retained.  There was no attempt to identify the Claimant and he was not spoken to by any police officer.
  2. A condition under Schedule 8 was met, namely that the processing was necessary for the exercise of a function conferred on a person by an enactment or rule of law, and was necessary for reasons of substantial public interest.  The relevant rule of law was SWP's common law duty to prevent and detect crime and the necessity test was satisfied as explained above; and
  3. The court was unable to decide whether SWP's document titled "Policy on Sensitive Processing for Law Enforcement Purposes", was an "appropriate policy document".  The court stated that although the document provided some explanation of SWP's policies for securing compliance, it was brief and lacking in detail, and that there was no systematic identification of the relevant policies and no systematic statement of what those policies provided.  In particular, the document did not appear to address the position of members of the public. Nonetheless, the court was reluctant to make a decision as to whether the document constituted an "appropriate policy document".  Given the role of the UK Information Commissioner and the prospect of future guidance, the court did not think it was necessary for it to rule either way and said that the development and specific content of that document was, for the time being, better left for reconsideration by SWP in the light of further guidance from the UK Information Commissioner's Office.

2. The second claim was that SWP had failed to carry out a data protection impact assessment, as required under S.64 DPA 2018. The court held that the impact assessment prepared by SWP met the requirements of S.64, noting the following points:

  1. The court felt there was a clear narrative that explained the proposed processing, which referred to the concerns raised in respect of intrusions into privacy of members of the public when AFR Locate was used; and
  2. That whilst the treatment of the personal data of those on watch lists was a particular focus of the document, the document did recognise that personal data of members of the public would be processed and identified the safeguards in place in terms of the duration for which any such data would be retained, the purpose for which it would be used and considered other requirements that had to be met.

Was the use of AFR Locate contrary to The European Convention on Human Rights?

The Claimant also argued that the use of AFR Locate interfered with the Claimant's rights under Article 8(1) of the European Convention on Human Rights (right to private life) and that, for the purposes of Article 8(2) the interference was neither "in accordance with the law" nor "necessary" or "proportionate".

The court held:

  1. The use of AFR Locate did infringe the Article 8(1) rights of those in the position of the Claimant; but
  2. The use of AFR Locate was necessary and proportionate as explained above and so met the requirements of the Human Rights Act given that the actions of SWP were subject to sufficient legal controls.

Conclusion

It is clear from the High Court's decision that the use of AFR constitutes the processing of biometric data under the GDPR and DPA 2018, not just in relation to those individuals on a watch list, but importantly, in the case of any other members of the public who can be identified from the relevant camera or sensor using AFR technology.   In a statement, the UK Information Commissioner's Office welcomed the court's decision that the use of AFR involves the processing of biometric data of members of the public and said that it will now consider the court's findings before finalising their recommendations and guidance to police forces in their use of the technology.

In this case, while the court found that the SWP was processing biometric data, it determined that the SWP had complied with its data protection obligations when processing it for law enforcement purposes.

However, it is unlikely that businesses operating in the private sector will be able to reply on the same legal grounds as the SWP for the range of purposes for which they may seek to deploy AFR and similar technologies.  As a result of biometric data becoming categorised as special category personal data under the GDPR from 25 May 2018, organisations currently using or seeking to use AFR and similar technologies must demonstrate that they comply with additional, more restrictive legal requirements in order to use it.   Organisations currently using or seeking to use AFR or similar technologies should consider whether they can comply with these additional, more restrictive requirements with respect to the entire population that may be identified by the relevant cameras or other sensors utilising these technologies.   The decision also provides useful guidance on the factors a court will take into account when determining whether an appropriate data protection impact assessment has been conducted in the context of AFR, which should be considered by organisations looking to use these types of technologies.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions