A UK police force used automatic facial recognition unlawfully because it failed to adequately assess the impact on data protection, a court has ruled.
The Court of Appeal last week upheld three of the five grounds for appeal in a ruling against South Wales Police (SWP), following a legal challenge from member of the public Ed Bridges and pressure group Liberty.
The court found SWP’s data protection impact assessment was deficient. It also said there was no clear guidance on where the police force’s AFR Locate system could be used, who could be put on a watchlist and that no reasonable steps were taken to identify possible racial or gender bias.
However, the appeal ruling also said SWP’s use of the technology was a proportionate interference with human rights as the benefits outweighed the impact on Mr Bridges.
SWP has been trialling a system called AFR Locate, which involves the deployment of surveillance cameras to capture digital images of members of the public, which are then processed and compared with pictures of people on an SWP ‘watchlist’. If the images do not match, the data is automatically deleted. Data associated with a match is retained for 24 hours.
The Court of Appeal found that SWP’s use of AFR Locate in “all event types” meant “the range is very broad and without apparent limits”. “It is not said, for example, that the location must be one at which it is thought on reasonable grounds that people on the watchlist will be present,” it said.
SWP’s data protection impact assessment failed properly to assess the risks to the rights and freedoms of data subjects and did not include measures to address these risks, as required under section 64 of the Data Protection Act, the ruling said.
SWP Chief Constable Matt Jukes said: “The test of our ground-breaking use of this technology by the courts has been a welcome and important step in its development. I am confident this is a judgment that we can work with.”
Mr Bridges “We should all be able to use our public spaces without being subjected to oppressive surveillance.”
Click here to watch a discussion about the global controversy about facial recognition technology
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.