Facial Recognition Technology not “In Accordance with Law”
13 August 2020
R (on the application of Edward Bridges) v Chief Constable of South Wales Police (Respondent)and Secretary of State for the Home Department and the Information Commissioner, the Surveillance Camera Commissioner and the Police and Crime Commissioner for South Wales (Interested Parties)  EWCA Civ 1058
The Court of Appeal, overturning a Divisional Court decision, has found the use of a facial recognition surveillance tool used by South Wales Police to be in breach of Article 8 of the European Convention on Human Rights (ECHR). The case was brought by Liberty on behalf of privacy and civil liberties campaigner Ed Bridges. The appeal was upheld on the basis that the interference with Article 8 of the ECHR, which guarantees a right to privacy and family life, was not “in accordance with law” due to an insufficient legal framework. However, the court found that, had it been in accordance with law, the interference caused by the use of facial recognition technology would not have been disproportionate to the goal of preventing crime. The court also found that Data Protection Impact Assessment (DPIA) was deficient, and that the South Wales Police (SWP), who operated the technology, had not fulfilled their Public Sector Equality Duty.
The case concerned the use of automated facial recognition (AFR) technology. AFR technology uses biometrics, unique biological data such as facial measurements, to identify individuals from a database of photographs. It was being used in a pilot scheme in South Wales, where the technology was being deployed by police in large crowds to identify individuals who were “wanted on suspicion for an offence, wanted on warrant, vulnerable persons and other persons where intelligence [was] required”. Despite searching for a pre-specified list of people, the technology collected biometric data indiscriminately.
Ed Bridges claimed to be in the presence of AFR technology on two occasions and was thus assumed to have had the technology used on him. He argued that the use of the technology was a violation of his right to privacy under Article 8.
Functioning like a CCTV camera, AFR technology scans crowds of people, identifying faces and instantaneously assessing the facial measurements against a pre-established “watchlist” database of custody photographs. If no match was found, the biometric data would be instantly erased. On discovering a match between someone in the crowd and the watchlist, the program would flag the operator, a police officer, to review the match. If it was found to be accurate, an appropriate intervention would be staged.
Deep learning facial recognition software relies on training datasets, large databases of photographs of faces, to learn how to identify facial features and match biometrics. Some facial recognition software has been shown to be more accurate identifying white people than other ethnic minorities and men more than women, largely due to the training datasets used containing more white men than other identities.
Article 8(2) says that right to private life may only be interfered with “in accordance with law”. The basis for being “in accordance with law” is set out in R (Catt) v Association of Chief Police Officers  UKSC 9. The Divisional Court set out these general principles:
(1) The measure in question (a) must have ‘some basis in domestic law’ and (b) must be ‘compatible with the rule of law’, which means that it should comply with the twin requirements of ‘accessibility’ and ‘foreseeability’ (Sunday Times v United Kingdom (1979) 2 EHRR 245; Sliver v United Kingdom (1983) 5 EHRR 347; and Malone v United Kingdom (1984) 7 EHRR 14).
(2) The legal basis must be ‘accessible’ to the person concerned, meaning that it must be published and comprehensible, and it must be possible to discover what its provisions are. The measure must also be ‘foreseeable’ meaning that it must be possible for a person to foresee its consequences for them and it should not ‘confer a discretion so broad that its scope is in practice dependent on the will of those who apply it, rather than on the law itself’ (Lord Sumption in Re Gallagher  UKSC 3 at ).
In absence of these criteria, any measure will not be “in accordance with the law” and will thus violate Article 8(2) of the ECHR.
The appeal was allowed on three grounds: first, that there was an insufficient legal framework to make the violation of Article 8 “in accordance with the law”; secondly, as a consequence of the deficiencies of the legal framework, the DPIA “failed properly to assess the risks to the rights and freedoms of the data subjects”; thirdly, SWP had failed to pay due regard to the risk of indirect discrimination. This was because the SWP did not take into account the possibility of the AFR technology producing a disproportionate amount of false positives when used on women and ethnic minorities.
The use of the AFR technology was found to not be “in accordance with the law” because of the insufficient legal framework for establishing who would be on the “watchlist” and where the technology would be deployed. The SWP Privacy Impact Assessment outlined the following constraints as to who could be on the “watchlist”:
These individuals could be persons wanted on suspicion for an offence, wanted on warrant, vulnerable persons and other persons where intelligence is required.
The court found that the inclusion of “other persons where intelligence is required” left “too broad a discretion vested in the individual police officer to decide who should go on the watchlist” for the decision to be accessible and foreseeable.
Furthermore, the court found that the SWP documentation did not outline any “normative requirement as to where deployment [of AFR] can properly take place”. It would therefore have been impossible for any individual to find out whether they were to be included on the watchlist and predict where the technology would have been deployed.
As a consequence of the failure of establishing the correct legal framework, the SWP’s DPIA was also found to be deficient. The DPIA “proceed[ed] on the basis that Article 8… is not infringed”, failed to properly address the need to be “in accordance with the law”. The court concluded that “the inevitable consequence of those deficiencies is that… the DPIA failed properly to assess the risks to the rights and freedoms of the data subjects”.
The SWP were also found to be deficient in their Public Sector Equality Duties in not recognising the risk of a disproportionate impact upon women and minorities of the AFR technology. Evidence from early facial recognition software suggests that there can be a greater risk of false positives for ethnic minorities and women. This was primarily due to the ethnic and gender makeup of the “training data”: if the training data consisted of primarily white men, the software would be better at identifying white men, reducing the chance of false positives (inversely, fewer ethnic minorities and women would increase the chances of false positives).
The court made it clear that the charge of bias was not being levelled against the software used by the SWP, given that there was no evidence of actual bias and no information regarding the training data. However, the mere possibility of indirect discrimination from higher false positives created a duty to pay that possibility due regard. That the SWP had failed to do so caused them to be deficient in their Public Sector Equality Duty.
It is significant that the appeal on the ground of proportionality failed. The court upheld the Divisional Court’s initial decision that the use of the software “struck a fair balance between the rights of the individual and the interests of the community”. The technology’s impact was “negligible… on the Appellant’s Article 8 rights”, and the fact that it was used indiscriminately, and therefore on many more people, does not make the impact on Article 8 rights more significant: as the court held, “it is not a question of simple multiplication”. As AFR technology was twice held to be proportionate to the goal of identifying and preventing crime in terms of Article 8 rights, this may help to justify its use in other circumstances.
The SWP has said that it remains “completely committed to [AFR technology’s] care development and deployment”. The House of Commons Science and Technology committee last year called for all AFR technology use to be suspended until regulation governing its use was in place.