Facing the future: Live facial recognition technology, law enforcement and privacy
By Rowan Clapp
The Information Commissioner has provided guidance on the use of live facial recognition technology (“LFR”) by law enforcement agencies, following recent trials of LFR conducted by South Wales Police and the Metropolitan Police.
The Opinion sets out how the “highest standards” of compliance with data protection law are to be upheld to ensure public confidence in “potentially invasive[e]” LFR technology, balancing privacy against effective policing. Considering the recent High Court decision in R(Bridges) v The Chief Constable of South Wales Police [2019] EWHC, the Commissioner identified a need to raise standards regarding the use of LFR in public spaces.
Major themes from the Commissioner’s opinion
- “Sensitive processing”: LFR involves the processing of biometric data and entails “sensitive processing” whether or not the collection of a facial image is used for a particular investigative purpose or whether biometric data will be deleted within a short period of time. Data Protection Officers considering LFR will need to have specific knowledge of data protection law regarding sensitive processing.
- “Strict necessity”: A controller may only engage in sensitive processing without the consent of the data subject where doing so is “strictly necessary for a law enforcement process.” This is a “high bar” which must include a consideration of the proportionality of the processing in the context of available alternatives to LFR. The purpose for which LFR is deployed occupies centre stage in this assessment. The more specific and serious the offence, the greater the likelihood that LFR will be strictly necessary. Further, the more targeted, intelligence-led and time-limited the use of LFR is, the more likely it will be to meet that threshold.
- Effectiveness: Authorities using LFR will need to measure its effectiveness for specified law enforcement purposes in order to ensure that the strict necessity threshold is crossed and that the use of the technique is proportionate. Effectiveness should be measured by demonstrable benefit to the public. Enforcement agencies are expected to apply learning from each deployment of LFR to ensure that successive use is beneficial.
- Early consideration: A controller’s approach to LFR must begin with the consideration of data protection at the earliest design stage of a proposed deployment of LFR. Such consideration will include ensuring that data is processed only for a specified and necessary purpose, and that where LFR products/services are adopted from vendors, they feature in-built data protection and privacy features.
- Individualism: In Bridges, the Commissioner submitted that the tests of strict necessity and proportionality were not met. Whilst the Commissioner’s Opinion respects the contrary finding of the High Court, it emphasises that Bridges is confined to its facts and does not represent a blanket justification for LFR, even for short periods. Enforcement authorities should take time to ensure that they carefully consider the strict necessity test whenever LFR is considered.
- The “appropriate policy document”: The Commissioner will provide further guidance on what is required to meet the obligations set out in s.42 DPA 2018 having concluded, in Bridges that the relevant document could have been more detailed.
- Code of practice: As LFR technology becomes more widely deployed, inconsistencies in the determination of the proportionality and “strict necessity” of its use are likely. The Commissioner, therefore, requests that the government produce a statutory code of practice which provides clearer boundaries on these matters. Doing so will ensure that a clear, precise and foreseeable legal justification for LFR is available.
- Data Protection Impact Assessments (“DPIAs”): The Commissioner expects controllers to complete DPIAs before every LFR deployment. The assessment should explain how the test of strict necessity has been met and identify why less intrusive methods cannot be pursued, alongside any available effective mitigating methods. The DPIA must identify the objectives of the LFR and how effectiveness with be measured. As a living document, DPIAs should be continually reviewed.
The Commissioner clearly intends to closely scrutinise authorities’ purported compliance with data protection law in this developing area, and will ensure that codes of practice are in place to make the legal position as clear as possible. As the Commissioner herself put it, “[m]y office’s investigation has concluded, but our work in this area is far from over.”