Last week saw the case of R (Bridges) v Chief Constable of South Wales Police return before the Court of Appeal. The case concerns police use of automated facial recognition (AFR) software and the delicate balance between the public interest in effective policing and the potential new technology brings for intrusion by the State into the private lives of her citizens.
The claimant (and now appellant), backed by Liberty, brought a judicial review against the use of AFR by South Wales Police (SWP) in 2018. He had been present in Cardiff on two occasions in December 2017 and March 2018 when AFR had been deployed by the police. SWP was, and continue to be, a national lead in England and Wales when it comes to police use of a specific type of AFR known as ‘AFR Locate’ (also referred to as ‘Live’ facial recognition), and are running an ongoing pilot of this particular application of the technology.
AFR Locate works by taking a live feed from a camera which is deployed overtly (i.e. its use is advertised). The software then extracts faces captured in the footage and processes them, distilling each face into a matrix of numbers that encodes the sizes, angles, shapes, lengths etc. of facial features. Each matrix forms a unique biometric template. This is then compared with templates pre-loaded per deployment onto a police ‘watchlist’. If there is a match, a police officer is alerted and reviews the source images to determine whether to make an intervention. If there is no match, the biometric template is immediately deleted without ever becoming visible to a human.
The claim alleged a number of public law breaches, most notably an unjustified interference with Article 8 ECHR privacy rights, along with breaches of the Data Protection Act 2018, and the Public Sector Equality Duty in the Equality Act 2010 (it was contended that the AFR software performed less accurately when it came to identifying non-white people and women).
As regards Article 8, the full array of concerns was in issue before the Divisional Court – interference, vires, accessibility/foreseeability, and proportionality. By the time the case reached the Court of Appeal, however, interference and vires were considered settled: SWP accepted the Divisional Court’s judgment that the capturing and analysing of biometric data of members of the public even where data was instantaneously deleted was a sufficiently serious interference into their private lives to get over the initial hurdle of A8(1); the claimant for his part accepted the Divisional Court’s judgment that the police had the power to deploy AFR Locate by virtue of their common law powers to prevent and detect crime and keep the peace (Rice v Connolly  2 All ER 649).
Before the Court of Appeal, the majority of the argument concerned the first Ground: whether the Divisional Court erred in their analysis of the ‘in accordance with law’ element of A8(2) and whether the legal framework which governed the use of AFR Locate had the requisite quality.
The claimant argued:
- The requirements for accessibility, foreseeability and sufficiency of safeguards against abuse were not met by the elements of law identified by the Divisional Court which were too generalised and high level.
- The under-regulation of the ‘who’ and the ‘why’ aspects of privacy – who was included on a watchlist, what police objectives could justify a deployment – could hypothetically lead to the police being able to track any person of interest around the country and learn multiple details about his/her private life, using a network of thousands of CCTV cameras all feeding into AFR software running 24/7.
- In this sense, the privacy concerns and the amount of information obtainable about a person’s private life were similar to those considered by the CJEU in Tele2 when looking at the regime governing retention and access to communications data. Furthermore, the regime governing AFR existed in stark contrast with that governing police use of fingerprints or DNA samples.
The claimant was supported on this ground by an intervention from the Information Commissioner (albeit she framed her argument under section 35 of the Data Protection Act and the requirement that data processing be “based on law”).
The defendant/respondent police force argued:
- The legal framework identified by the Divisional Court did meet the requirements of accessibility, foreseeability and had built-in sufficient safeguards against abuse. Lord Sumption’s judgment in R (Catt) v Commissioner of the Metropolitan Police  UKSC 9 provided a full answer to the claimant’s complaints about its ‘high level’ nature. In that case (which concerned police collection and retention of personal information) Lord Sumption held that a similar legal framework met the ‘in accordance with law’ criteria, and that the law did not have to codify answers to every possible issue.
- The claimant’s hypothetical scenarios did not fall within the scope of the claim which was a challenge to the legal framework governing SWP’s use of AFR Locate. The legality principle should be examined as it related to that particular system (including how that system operated in practice) and not to the hypotheticals of how police might use any type of AFR technology in general.
- Similarly, the courts should adopt a ‘relativist’ approach to the legality requirement. DNA and fingerprints could be distinguished from AFR Locate because of the degree of intrusion and the data retention issues involved. On a spectrum with regular CCTV use towards one end and the capture and retention of communications data (Tele2) towards the other, the circumstances of AFR Locate were in fact on the nearside of CCTV.
The SWP was supported on this ground by the Secretary of State for the Home Department as an interested party, and the Surveillance Camera Commissioner and the Police and Crime Commissioner for South Wales as interveners (the latter made no oral submissions).
As regards the remaining grounds, the appellant argued: that the Divisional Court erred in not weighing the aggregate interference with potentially tens-of-thousands of private lives in the ‘negative’ side of the Article 8 proportionality balance; that the SWP had not had regard to racial and gender biases in the application of AFR Locate; and that the impact assessment and sensitive processing policy documents required by the Data Protection Act 2018 were inadequate.
The SWP countered: that the appellant’s proposed approach to proportionality was not supported by the caselaw and that the legitimate objectives of law enforcement justified very minor interferences; that SWP had carried out an Equality Impact Assessment and that in any event the human checks on the software matches formed a key ‘failsafe’; and that their data protection documents were adequate.
Judgment was reserved.
Thomas Yarrow was junior counsel for the Interested Party, instructed by the Government Legal Department for the Secretary of State.