Facial Recognition Technology: High Court gives judgment

12 September 2019 by

R (Bridges) v Chief Constable of South Wales Police and Secretary of State for the Home Department [2019] EWHC 2341 (Admin)

The High Court has dismissed an application for judicial review regarding the use of Automated Facial Recognition Technology (AFR) and its implications for privacy rights and data protection.

Haddon-Cave LJ and Swift J decided that the current legal regime is adequate to ensure the appropriate and non-arbitrary use of AFR in a free and civilised society. The Court also held that South Wales Police’s (SWP) use to date of AFR by has been consistent with the requirements of the Human Rights Act 1998 (HRA) and data protection legislation.

Nonetheless, periodic review is likely to be necessary. This was the first time any court in the world had considered AFR. This article analyses the judgement and explores possible avenues for appeal.

The Claims

Live AFR captures the facial biometrics of people passing within range of surveillance cameras and compares this data to the facial biometrics of people on police watchlists. It is described in the judgment as a

new and powerful technology which has great potential to be put to use for the prevention and detection of crime. [7]

The claimant, a civil liberties campaigner, challenged SWP’s use of AFR on three main grounds:

  1. The SWP’s use of AFR was contrary to the requirements of ECHR Article 8;
  2. The SWP breached the Claimant’s data protection rights under both the Data Protection Act 1998 (DPA 1998) and Data Protection Act 2018 (DPA 2018);
  3. The SWP failed to comply with the Public Sector Equality Duty under section 149 of the Equality Act 2010.

Ground 1: Article 8

The Court accepted that AFR technology engages the Article 8 rights of anyone whose face is scanned (or is at risk of being scanned). The extensive jurisprudence of both the UK Supreme Court and the ECtHR emphasises the tension between the use of invasive scientific techniques in the criminal justice system and private-life interests. The case of S v. United Kingdom (2009) 48 EHRR 50 concerned the retention of biometric information in the form of fingerprint records and DNA samples. At [67] the ECtHR observed “the mere storing of data relating to private life of an individual amounts to an interference within the meaning of Article 8.” Like fingerprints and DNA, the High Court held that AFR technology enables the extraction of information of an “intrinsically private” character.

The subsequent question was whether the use of AFR Locate by the SWP is “in accordance with the law” for the purposes of Article 8(2). The Claimant’s submission in this regard was that SWP does not, as a matter of law, have the power to deploy AFR and that even if the SWP’s use of AFR is not ultra vires, any interference with Article 8(1) rights is not subject to a sufficient legal framework such that it is capable of being justified under Article 8(2).

In support of this latter argument, the Claimant cited the Police and Criminal Evidence Act 1984, which regulates the collection and use of fingerprints and DNA samples. He argued that absent comparable provision for AFR technology, its use is not “in accordance with the law”. Parallel to this, it was claimed that both the DPA 1998 and DPA 2018 are insufficient for the regulation of AFR.

The Court held the lack of a specific statutory basis for the use of AFR Locate did not render the technology ultra vires. This is because the SWP’s and the Home Secretary’s reliance upon the police’s common law powers are sufficient authority for use of this equipment. In R (Catt) v Association of Chief Police Officers [2015] AC 1065, which considered the lawfulness of collecting and retaining personal information, Lord Sumption JSC held “At common law the police have the power to obtain and store information for policing purposes, i.e. broadly speaking for the maintenance of public order and the prevention and detection of crime.” [7]

The Court said this broad construal of the police’s common law powers meant the only issue is whether the use of AFR constitutes what Lord Sumption in Catt termed an “intrusive method” and, therefore, out-with the common law powers of the police. The Court said an “intrusive method” was a clear reference to physical intrusion. For this reason, “the [use of AFR] is no more intrusive than the use of CCTV in the streets.” [75]

The Claimant’s second submission was that the legal framework governing the use of AFR lacked the necessary qualities of lawfulness that Lord Bingham originally articulated in R (Gillan) v Commissioner of Police of the Metropolis [2006] 2 AC 307 at [34], that is foreseeability and predictability.

In S v United Kingdom, the Grand Chamber concluded the legality of arrangements for the retention and use of fingerprints and DNA required “detailed rules governing the scope and application of measures” to provide sufficient guarantees against the risk of abuse and arbitrariness at [99]. Moreover at [103], the ECtHR held “The need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes.”

Nonetheless, the High Court was satisfied that there is a clear and sufficient legal framework governing whether, when and how the system AFR Locate may be used. This framework is composed of three legally enforceable layers in addition to the restraints of the common law.

First, there is primary legislation in the form of the DPA 2018. Second, there are secondary legislative instruments, namely the Surveillance Camera Code of Practice pursuant to section 30 of the Protection of Freedoms Act 2012. Third, there are the SWP’s own local policies. The cumulative effect of these elements renders the use of AFR by SWP sufficiently foreseeable and accessible to satisfy the “in accordance with the law” requirement of Article 8(2).

The most important element is the DPA 2018. As explained by Lord Sumption in Catt (at [8]), the DPA 2018 embeds key safeguards which apply to all processing of all personal data – including the biometric data processed when AFR Locate is used. Part 3 of the DPA 2018 applies to processing for law enforcement purposes. According to section 34(3) of the DPA 2018, SWP as data controller, “must be able to demonstrate its compliance with” the six data protection principles and the two safeguarding measures set out at sections 35 – 42 of the Act. The principles apply to all operations which involve retention or use of personal data, thereby encompassing AFR.

The High Court referred to Catt [14] in holding that it was not legally important that these are principles of general application. Moreover, section 35(3) of the DPA 2018 sets out specific conditions that must be met for “sensitive processing”, which includes “processing … of biometric data for the purposes of uniquely identifying an individual”. These requirements arising under the DPA 2018 are mirrored in the Code of Practice on the Management of Police Information, issued by the College of Policing under section 39A of the Police Act 1996. While the framework is not presently deficient, the Court held the future development of AFR technology is likely to require periodic re-evaluation of the sufficiency of the legal regime.

The Court finally asked whether SWP’s use of AFR Locate satisfied the four-stage proportionality test in Bank Mellat v Her Majesty’s Treasury (No 2) [2014] AC 700. First, the use of AFR pursues a legitimate security aim. Second, SWP’s use of AFR is rationally connected to that aim. Third, a less intrusive method could not have been used: CCTV could not have identified whether those at the event were on watchlists, which the Court characterised as being “clearly targeted” [104]. Fourth, the use of AFR Locate strikes a fair balance between the rights of the individual and the interests of the community and was not disproportionate. This is because the interference with the Claimant’s Article 8 rights “would be limited to the near instantaneous algorithmic processing and discarding of the Claimant’s biometric data.” [101]


The High Court’s treatment of the meaning of “intrusion” in the context of ECHR Article 8 is worthy of re-consideration. Following Catt, the Court interpreted an “intrusive method” of obtaining information in purely physical terms. It followed that because AFR did not compromise an individual’s “bodily integrity”, its level of “intrusion” compared to the use of CCTV in the streets. This fails to grasp how the instantaneous capture of biometric information extracts more private information about a person than a video image. Knowledge of this extraction could affect the “psychological integrity” of an individual, possibly infringing their right to privacy in absence of manifest consent.

This relates to proportionality. If “intrusion” is interpreted on a physical-psychological continuum, proportionate use of AFR should reflect how “sensitive processing” power ought not to be deployed on an indiscriminate basis to ordinary members of the public. This reformed understanding might influence the Court’s approach to the proportionality test.

The conceptual novelty of AFR, moreover, should inform our evaluation of “accessibility” as a criterion of the rule of law. As the ECtHR held in Big Brother Watch v UK in consideration of the Regulation of Investigatory Powers Act 2000:

the domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.

Applying this principle, it is arguable that AFR – being a novel technology – should have a specific statutory basis.

Ground 2: Data Protection

Claim under DPA 1998

The first claim concerned the obligation at s. 4(4) of the DPA 1998 on data controllers “to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”. The first of those principles, set out in Part 1 of Schedule 1 to the DPA 1998, mandates “personal data shall be processed fairly and lawfully”.

The primary point of dispute was whether using AFR Locate entails the processing of “personal data” within the meaning of Section 1 of the DPA 1998. The Act defines “personal data” as “data which relates to a living individual who can be identified”. The Court said there were two methods of personal identification to consider: (a) indirect identification and (b) individuation.

The CJEU adopted an expansive approach to indirect identification in Breyer v Bundesrepublik Deutschland (Case C-582/14), which concerned whether dynamic IP addresses were personal data within the definition in the 1995 Directive. The only incidents excluded were where the risk of identification “appears in reality to be insignificant” [46]. In the context of AFR, this route was deemed “artificial and unnecessary” because the identification mechanism in Breyer did not resemble.

In Vidal-Hall v Google Inc. [2016] QB 1003, in the context of an application for permission to serve proceedings out of the jurisdiction, the Court of Appeal had to consider whether it was arguable that browser generated information (i.e. information about the claimants’ internet usage), was personal data. There the Court held at [115] that

identification for the purposes of data protection is about data that “individuates” the individual, in the sense that they are singled out and distinguished from all others.

Anonymity did not preclude individuation. Applying this principle, the High Court said the information provided by AFR Locate did amount to “personal data”. However, because AFR was held to be compatible with ECHR Article 8, its use satisfied the conditions of lawfulness and fairness stipulated in the DPA 1998.

Claim under section 34 DPA 2018

The second claim concerned whether the use of AFR Locate complies with the first data protection principle for the purposes of “law enforcement” under section 35(3) DPA 2018.

The Claimant contended, first, that AFR Locate entails the “sensitive processing” of personal data as described in section 35(8) of the DPA 2018, and secondly that AFR Locate does not meet the requirements of section 35(5), which regulate the use of sensitive processing.

The first issue to address is the scope of sensitive processing where AFR Locate is used: does it entail processing biometric data of members of the public “for the purpose of uniquely identifying an individual”?

The Court rejected SWP’s submission that only the personal data of those on watchlists had been sensitively processed. Section 35(8)(b) of the DPA 2018 can properly be read as applying both to the biometric data for those on the watchlist and to the biometric data of the members of the public. Indeed, comparisons can only be made if each person is uniquely identified. This conclusion is supported by the inclusion of biometric data within the General Data Protection Regulation (Reg 2016/679/EU) and the Data Protection Law Enforcement Directive (2016/680/EU), which are measures the DPA 2018 seeks to implement.

The second issue was whether this sensitive processing met the requirements of section 35(5). The Court reached three conclusions. First, that analysis of “strict necessity” is the same as that of proportionality under ECHR Article 8. Second, the processing meets the Schedule 8 criterion of a rule of law function, namely the duty to prevent and detect crime. Third, the SWP had an “appropriate policy document” for securing compliance, as required by section 42(2) DPA 2018. The absence of precise information on the position of members of the public in that document did not preclude the successful discharge of that obligation.

Claim under section 64 DPA 2018

The third claim concerned section 64 of the DPA 2018, which sets out an obligation on data controllers to undertake impact assessments of the proposed processing of personal data. The Court was satisfied that SWP had discharged its obligation under section 64. Evaluation thereof is comparable to judgement on the execution of the public sector equality duty. In essence, a Court will not necessarily substitute its own view for that of the data controller on all matters. As Underhill LJ stated in R (Unison) v Lord Chancellor [2016] ICR 1, the Court must simply inquire “whether the essential questions have been conscientiously considered and that any conclusions reached are not irrational.”


Following my suggestion for an amended approach to ECHR Article 8, it is arguable the Court should in fact apply a distinction between the levels of protection for individual rights under the HRA 1998 and the DPA 2018. Application of this distinction would create a problem for the assessment of lawfulness and fairness under the DPA 2018.

Ground 3: The Public Sector Equality Duty

The Court dismissed the challenge to the SWP’s discharge of the Public Sector Equality Duty under section 149 of the Equality Act 2010. It held there was insufficient evidence to support the Claimant’s contention that SWP did not, in its Equality Impact Assessment, consider the possibility that AFR Locate might produce results that were indirectly discriminatory on grounds of sex and/or race because it produces a higher rate of false positive matches for female faces and/or for black and minority ethnic faces. More detailed factual investigations were required before firm conclusions on bias could be reached.


As to this point, it is suggested that factual concerns about the possibility of discriminatory false positives require urgent attention and may have to be considered again in due course.

Sapan Maini-Thompson is an LLM Candidate at University College London. He tweets @SapanMaini.

1 comment;

  1. Thank you for sharing.

Comments are closed.

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.




7/7 Bombings 9/11 A1P1 Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology birds directive blogging Bloody Sunday brexit Bribery British Waterways Board Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity circumcision citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Cologne Commission on a Bill of Rights common buzzard common law communications competition confidentiality confiscation order conscientious objection consent conservation constitution contact order contempt of court Control orders Copyright coronavirus costs costs budgets Court of Protection crime criminal law Criminal Legal Aid criminal records Cybersecurity Damages data protection death penalty declaration of incompatibility defamation DEFRA Democracy village deportation deprivation of liberty derogations Detention devolution Dignitas dignity Dignity in Dying diplomacy director of public prosecutions disability Disability-related harassment disciplinary hearing disclosure Discrimination Discrimination law disease divorce DNA doctors does it matter? domestic violence Dominic Grieve don't ask don't ask don't tell don't tell Doogan and Wood double conviction DPP guidelines drones duty of care ECHR economic and social rights economic loss ECtHR Education election Employment Environment environmental information Equality Act Equality Act 2010 ethics Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice european disability forum European Sanctions Blog Eurozone euthanasia evidence Exclusion extra-jurisdictional reach of ECHR extra-territoriality extradition extradition act extradition procedures extradition review extraordinary rendition Facebook Facebook contempt facial recognition fair procedures Fair Trial faith courts fake news Family family courts family law family legal aid Family life fatal accidents act Fertility fertility treatment FGM fisheries fishing rights foreign criminals foreign office foreign policy France freedom of assembly Freedom of Association Freedom of Expression freedom of information Freedom of Information Act 2000 freedom of movement freedom of speech free speech game birds gangbo gang injunctions Garry Mann gary dobson Gary McFarlane gay discrimination Gay marriage gay rights gay soldiers Gaza Gaza conflict Gender General Dental Council General Election General Medical Council genetic discrimination genetic engineering genetic information genetics genetic testing Google government Grenfell grooming Gun Control gwyneth paltrow gypsies habitats habitats protection Halsbury's Law Exchange hammerton v uk happy new year harassment Hardeep Singh Haringey Council Harkins and Edwards Health healthcare health insurance Heathrow heist heightened scrutiny Henry VII Henry VIII herd immunity hereditary disorder High Court of Justiciary Hirst v UK HIV HJ Iran HM (Iraq) v The Secretary of state for the home department [2010] EWCA Civ 1322 Holder holkham beach holocaust homelessness Home Office Home Office v Tariq homeopathy hooding Hounslow v Powell House of Commons Housing housing benefits Howard League for Penal Reform how judges decide cases hra damages claim Hrant Dink HRLA HS2 hs2 challenge hts http://ukhumanrightsblog.com/2011/04/11/us-state-department-reports-on-uk-human-rights/ Human Fertilisation and Embryology Act Human Fertilisation and Embryology Authority human genome human rights Human Rights Act Human Rights Act 1998 human rights advocacy Human rights and the UK constitution human rights commission human rights conventions human rights damages Human Rights Day human rights decisions Human Rights Information Project human rights news Human Rights Watch human right to education human trafficking hunting Huntington's Disease HXA hyper injunctions Igor Sutyagin illegality defence immigration Immigration/Extradition Immigration Act 2014 immigration appeals immigration detention immigration judge immigration rules immunity increase of sanction India Indonesia Infrastructure Planning Committee inherent jurisdiction inherited disease Inhuman and degrading treatment injunction Inquest Inquests insult insurance insurmountable obstacles intelligence services act intercept evidence interception interests of the child interim remedies international international conflict international criminal court international humanitarian law international human rights international human rights law international law international treaty obligations internet internet service providers internment internship inuit investigation investigative duty in vitro fertilisation Iran iranian bank sanctions Iranian nuclear program Iraq Iraqi asylum seeker Iraq War Ireland irrationality islam Israel Italy iTunes IVF ivory ban jackson reforms Janowiec and Others v Russia ( Japan Jason Smith Jeet Singh Jefferies Jeremy Corbyn jeremy hunt job Jogee John Hemming John Terry joint enterprise joint tenancy Jon Guant Joseph v Spiller journalism judaism judges Judges and Juries judging Judicial activism judicial brevity judicial deference judicial review Judicial Review reform judiciary Julian Assange jurisdiction jury trial JUSTICE Justice and Security Act Justice and Security Bill Justice and Security Green Paper Justice Human Rights Awards JUSTICE Human Rights Awards 2010 just satisfaction Katyn Massacre Kay v Lambeth Kay v UK Ken Clarke Ken Pease Kerry McCarthy Kettling Kings College Klimas koran burning Labour Lady Hale lansley NHS reforms LASPO Law Commission Law Pod UK Law Society Law Society of Scotland leave to enter leave to remain legal aid legal aid cuts Legal Aid desert Legal Aid Reforms legal blogs Legal Certainty legal naughty step Legal Ombudsman legal representation legitimate expectation let as a dwelling Leveson Inquiry Levi Bellfield lewisham hospital closure lgbtq liability Libel libel reform Liberal Democrat Conference Liberty libraries closure library closures Libya licence conditions licence to shoot life insurance life sentence life support limestone pavements limitation lisbon treaty Lithuania Litigation litvinenko live exports local authorities locked in syndrome london borough of merton London Legal Walk London Probation Trust Lord Bingham Lord Bingham of Cornhill Lord Blair Lord Goldsmith lord irvine Lord Judge speech Lord Kerr Lord Lester Lord Neuberger Lord Phillips Lord Rodger Lord Sumption Lord Taylor LSC tender luftur rahman machine learning MAGA Magna Carta mail on sunday Majority Verdict Malcolm Kennedy malice Margaret Thatcher Margin of Appreciation margin of discretion Maria Gallastegui marriage material support maternity pay Matthew Woods Mattu v The University Hospitals of Coventry and Warwickshire NHS Trust [2011] EWHC 2068 (QB) Maya the Cat Mba v London Borough Of Merton McKenzie friend Media and Censorship Medical medical liability medical negligence medical qualifications medical records medicine mental capacity Mental Capacity Act Mental Capacity Act 2005 Mental Health mental health act mental health advocacy mental health awareness Mental Health Courts Mental illness merits review MGN v UK michael gove Midwives migrant crisis Milly Dowler Ministerial Code Ministry of Justice Ministry of Justice cuts misfeasance in public office modern slavery morality morocco mortuaries motherhood Motor Neurone disease Moulton Mousa MP expenses Mr Gul Mr Justice Eady MS (Palestinian Territories) (FC) (Appellant) v Secretary of State for the Home Department murder murder reform Musician's Union Muslim NADA v. SWITZERLAND - 10593/08 - HEJUD [2012] ECHR 1691 naked rambler Naomi Campbell nationality National Pro Bono Week national security Natural England nature conservation naturism Nazi negligence Neuberger neuroscience Newcastle university news News of the World new Supreme Court President NHS NHS Risk Register Nick Clegg Nicklinson Niqaab Noise Regulations 2005 Northern Ireland nuclear challenges nuisance nursing nursing home Obituary Occupy London offensive jokes Offensive Speech offensive t shirt oil spill olympics open justice oppress OPQ v BJM orchestra Osama Bin Laden Oxford University paramountcy principle parental rights parenthood parking spaces parliamentary expenses parliamentary expenses scandal Parliamentary sovereignty Parliament square parole board passive smoking pastor Terry Jones patents Pathway Students Patrick Quinn murder Pensions persecution personal data Personal Injury personality rights perversity Peter and Hazelmary Bull PF and EF v UK Phil Woolas phone hacking phone taps physical and mental disabilities physician assisted death Pinnock Piracy Plagiarism planning planning human rights planning system plebgate POCA podcast points Poland Police police investigations police liability police misconduct police powers police surveillance Policy Exchange report political judges Politics Politics/Public Order poor reporting Pope Pope's visit Pope Benedict portal possession proceedings power of attorney PoW letters to ministers pre-nup pre-nuptial Pre-trial detention predator control pregnancy press press briefing press freedom Prince Charles prince of wales princess caroline of monaco principle of subsidiarity prior restraint prison Prisoners prisoners rights prisoners voting prisoner vote prisoner votes prisoner voting prison numbers Prisons prison vote privacy privacy injunction privacy law through the front door Private life private nuisance private use proceeds of crime Professional Discipline Property proportionality prosecution Protection of Freedoms Act Protection of Freedoms Bill Protest protest camp protest rights Protocol 15 psychiatric hospitals Public/Private public access publication public authorities Public Bodies Bill public inquiries public interest public interest environmental litigation public interest immunity Public Order Public Sector Equality Duty putting the past behind quango quantum quarantine Queen's Speech queer in the 21st century R (on the application of) v Secretary of State for the Home Department & Ors [2011] EWCA Civ 895 R (on the application of) v The General Medical Council [2013] EWHC 2839 (Admin) R (on the application of EH) v Secretary of State for the Home Department [2012] EWHC 2569 (Admin) R (on the application of G) v The Governors of X School Rabone and another v Pennine Care NHS Foundation Trust [2012] UKSC 2 race relations Rachel Corrie Radmacher Raed Salah Mahajna Raed Saleh Ramsgate raptors rehabilitation Reith Lectures Religion resuscitation RightsInfo right to die right to family life right to life Right to Privacy right to swim riots Roma Romania Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials security services sexual offence Sikhism Smoking social media social workers South Africa south african constitution Spain special advocates spending cuts Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance swine flu Syria Tax Taxi technology Terrorism terrorism act tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine unfair consultation universal jurisdiction unlawful detention USA US Supreme Court vaccination vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: