UK: Facial Recognition Technology In Quasi-Public Spaces – Julian Hayes Speaks To LexisNexis

Last Updated: 3 October 2019
Article by Julian Hayes

BCL partner, Julian Hayes discusses UK and EU law relevant to facial recognition technology (FRT) and how such law would apply if FRT were to be used within quasi- public spaces.

What is FRT and which laws presently govern it in the UK? Are there any plans for regulation?

FRT is a form of biometric recognition technology which uses facial features, usually comparing them to images held in a database, to verify that someone is who they claim to be (eg ePassport gates at airports or identifying 'persons of interest' in a busy street or recipients of football banning orders at a football match).

There are many variations in the way in which FRT works, but in general terms, FRT works by detecting and capturing a facial image, often via CCTV footage. Using a recognition algorithm, it then standardises the captured facial image (eg by size, rotation, etc) so that it is in the same format as images held on a database ('watchlist') of known individuals. The standardised captured image is then statistically compared to images on the watchlist. If a similarity threshold, set by the FRT operator, is reached, a 'match' takes place between the captured image and an image on the watchlist, and the person is identified. The match is usually verified by a human agent before any action is taken.

At present, there is no dedicated FRT legislation or Code of Practice in the UK. Instead, depending on who is using it and why, its use is affected by the Human Rights Act 1998, as well as bringing into play considerations under:

  • the European Convention on Human Rights (ECHR)
  • the General Data Protection Regulation (EU) 2016/679 (GDPR)
  • the Data Protection Act 2018 (DPA 2018)
  • guidance produced by the Surveillance Camera Commissioner (SCC), which is applicable in England & Wales including the Surveillance Camera Code of Practice (SC Code)
  • potentially by the ordinary law of confidence
  • potentially by the Regulation of Investigatory Powers Act 2000 (RIPA) where the surveillance is covert

As a result of this non-specific miscellany of primary and subordinate legislation, the use of FRT falls within the regulatory remit of the Information Commissioner (ICO), the SCC, the Biometrics Commissioner and the Investigatory Powers Commissioner's Office (IPCO). Despite the proliferation of oversight bodies, concerns have been expressed by some about the speed at which FRT is being deployed and the risk that regulatory lacunae may lead to misuse. For example, although private operators of FRT (eg retail parks) are encouraged to adopt the guiding principles for system operators set out in the SC Code, there is no obligation on them to do so. Even where 'relevant authorities' (eg the police) are obliged to have regard to the SC Code, failure to act in accordance with it does not of itself make that person liable to criminal or civil proceedings.

As a result of these concerns, legislators, regulators and NGOs have called for more comprehensive FRT regulation.

In the first legal challenge to the use of FRT brought by Ed Bridges against the South Wales Police, the High Court concluded that the current legal regime is adequate to ensure the appropriate and non-arbitrary use of FRT and that its use in this instance had complied with the applicable laws. However, it also noted that: 'the future development of [FRT] is likely to require periodic re-evaluation of the sufficiency of the legal regime' (R (Ed Bridges) v CC South Wales Police [2019] EWHC 2341 (Admin), [2019] All ER (D) 05 (Sep), para [97]).For more on the case, see News Analysis: High Court rules on lawfulness of police use of Automated Facial Recognition technology (R (on the application of Bridges) v Chief Constable of South Wales Police (Information Commissioner and another intervening)).

In the wake of the High Court decision, the Biometrics Commissioner suggested that parliament should consider whether to enact a specific framework for the use of biometrics such as FRT by the police and others, although the government has no official plans to do so. The ICO has indicated that it is finalising recommendations and guidance to police forces about planning, authorising and deploying future FRT. It is anticipated that the ICO will publish a revised code of practice for surveillance cameras and personal information, applicable to public and private operators, to ensure their use is compliant with GDPR and DPA 2018 obligations.

Meanwhile, it is understood that the European Commission is planning regulation to limit the indiscriminate use of facial recognition by companies and public authorities. The European Commission proposals are expected to be published by spring 2020 and it is likely that, despite the UK's intended departure from the EU, they will be mirrored in the UK.

Does GDPR apply to FRT? How will Brexit impact the UK in this area?

'Personal data' includes 'biometric data', of which facial images are one example and it applies to the processing of 'personal data' wholly or partly by automated means. As a result, the provisions of GDPR apply to the processing of FRT.

However, depending on the circumstances of the FRT application, the GDPR does not apply to processing by individuals for domestic purposes, nor does it apply to processing by competent authorities for the purposes of preventing, investigating, detecting or prosecuting criminal offences (which is instead covered by DPA 2018, Pt 3, see Practice Note: Processing personal data by law enforcement and intelligence agencies—an introduction to the Data Protection and Law Enforcement Directive and Part 3 of the Data Protection Act 2018.

Under GDPR, biometric data is 'special category personal data'. The processing of special category personal data is prohibited unless there is a lawful basis for processing and also one of a limited number of exceptions applies.

These exceptions include where:

  • the data subject has given explicit consent
  • the processing is vital to the interests of the data subject or another natural person
  • the processing is necessary for the reasons of substantial public interest, provided it has a clear legal basis, is proportionate and respects the essence of the right to data protection

DPA 2018 stipulates various mandatory conditions for using the 'substantial public interest' as an exception to process data such as the biometric images of an FRT system.

In the event of departing the EU, the UK will become a 'third country', restricting the cross-border flow of personal data from continental Europe to the UK until the EU decides that the UK's personal data protection regime provides substantially the same level of personal data protection as that of the EU. To facilitate such a decision, the government plans to incorporate the GDPR into domestic legislation. As a result, GDPR should effectively continue to apply after Brexit.

In recent years, the UK has seen the rise of so-called 'quasi-public spaces'—namely, open spaces that look like public spaces, but are instead private spaces that are conditionally opened to the public. What would be the legal repercussions of introducing FRT in quasi-public spaces and could this be open to legal challenge?

Private investment in civic spaces, for example museums and galleries, has existed for many years. Large-scale quasi or hybrid public spaces such as those at King's Cross in London containing places of work, retail and leisure establishments, however, are a relatively new phenomena, where—at the owner's discretion—members of the public are granted licence to enter what is private property in law. A private owner wishing to install FRT must be able to satisfy the requirements of the GDPR for processing the biometric data, including documenting a lawful basis for its processing and the exception which applies to the general prohibition on processing such special category personal data.

Increasingly, office buildings are introducing FRT systems to avoid sign-in queues. Such employers are relying on consent as an exception to the prohibition on processing biometric data. However, such consent must be voluntary, informed and unambiguous. One can see that where an alternative sign-in system is not available, relying on consent as a basis for FRT may be open to legal challenge. Some owners of quasi-public spaces argue that FRT is necessary for the substantial public interest of preventing or detecting crime or anti-social behaviour on their property. To rely on this exception, the owners must be able to demonstrate that the processing is necessary:

  • for the prevention or detection of an unlawful act
  • to perform it without the consent of the data subject because obtaining their permission would frustrate the purpose of the processing
  • for reasons of substantial public interest

Investigating recent instances of FRT at King's Cross, the ICO has emphasised that processing on the basis of substantial public interest must be 'strictly' necessary and proportionate. In other words, an alternative, less intrusive means of means of achieving the same end may give rise to legal challenge to the use of FRT on this basis.

Whereas the ECHR does not normally apply to private organisations, it may arguably apply to them in the performance where they are carrying out a public function (see HRA, s 6(3)(b)). For example, if when exercising their law enforcement duties the police routinely use the FRT system of a private owner, it is conceivable that an aggrieved litigant might seek to argue that the ECHR principles also apply to the private owner as well as the police, and bring a challenge for breach of their human rights under HRA. As a result, where law enforcement authorities seek to co-operate with private entities over FRT, private organisations might first wish to be confident that they were not exposing themselves to unnecessary legal risk.

If owners of quasi-public spaces were to introduce FRT, how practically could and should this be regulated? What are some of the key challenges to this?

Owners of quasi-public spaces that introduce FRT must comply with the GDPR and applicable provisions of DPA 2018. As such, they are regulated by the ICO whose powers are set out in DPA 2018, Pt 6 and supplemented by the ICO's Regulatory Action Policy. They may also voluntarily abide by the SC Code and although there is no obligation on them to do so, such compliance may go some way to demonstrating adherence to the data protection legislation enforced by the ICO.

That said, it is fair to say that the deployment of technology has outstripped the ability of the applicable legislation and regulation to keep pace. The legal challenge brought by Bridges against South Wales Police's use of FRT (see above) was a first step towards developing an accepted framework within which law enforcement deploys this

technology. Although the High Court accepted that the police trials under scrutiny were lawful in both human rights and data protection terms, the judgment is subject to appeal, which will take some time. Any appeal is unlikely to address directly the burgeoning private use of FRT.

The reality is that this technology cannot be 'uninvented' and the key challenge is ensuring that clear, accessible and generally accepted rules are in place to ensure that all concerned—operators and data subjects (including both those whose images are captured and those on the watch list)—are in no doubt as to their rights and obligations as the technology develops and improves.

The House of Commons Science and Technology Committee recently stated that authorities should cease all trials of FRT until a legal framework is established, calling into question the legal basis and the potential threat to privacy raised by the use of the technology. What—if any—differentiating or distinguishing factors might be applied to justify the use of the technology in 'quasi-public' as opposed to public spaces, or are the issues likely to be the same?

Given the tighter legal and regulatory framework applicable to the deployment of FRT by law enforcement agencies in public spaces, and the greater public scrutiny they ultimately face, the public might arguably feel there is more justification for the use of FRT by the police in public spaces than by private entities in quasi-public areas.

That said, the circumstances in which biometric data in FRT systems may be processed by private entities under the GDPR (as amplified by DPA 2018) are narrowly defined to ensure processing is lawful. Provided private entities are able to bring themselves within the existing legislative criteria for using FRT, it is not difficult to see how they might justify its use in quasi-public areas. FRT would free-up law enforcement resources allowing their deployment only where necessary, help reduce crime and disorder, and create a safer environment for those using quasi-public spaces.

Admittedly, these are all factors which law enforcement agencies also cite for the use of FRT. Important in avoiding a future backlash will be ensuring that private FRT operators are aware of how to use this next generation technology responsibly and within the constraints of the current and any future legal framework which is introduced.

Interviewed by Tom Inchley.

This article was originally published by LexisNexis on 24th September 2019. You can read the full version here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions