The ICO has issued a Report and Opinion on the use of Live Facial Recognition (LFR) technology by law enforcement in public places. See here for the Metropolitan Police’s description of what LFR includes.
The ICO Report draws conclusions from the ICO’s investigation into the use of LFR by the Metropolitan and South Wales Police (SWP) forces. The ICO Opinion (the first issued under the Data Protection Act 2018) sets out in wider terms the ICO’s advice and recommendations in connection with the use of LFR more generally.
In the words of the Information Commissioner, core to any consideration of new technologies in a law enforcement setting is the question of “how far should we, as a society, consent to police forces reducing our privacy in order to keep us safe?” This may be a question of balance in each case, mindful of the fact that the law may not immediately keep pace with technological development.
This was brought further into focus by R(Bridges) v The Chief Constable of South Wales [2019] EWHC 2341 (Admin) where the claimant submitted that SWP’s use of LFR breached the right to privacy, data protection laws and anti-discrimination laws. SWP’s use of LFR was held to be lawful in that instance, but as the ICO notes, the judgment in Bridges identified that steps could, and perhaps should, be taken further to codify the relevant legal standards that apply to LFR, and that the future development of LFR is likely to require periodic re-evaluation of the sufficiency of the applicable legal regime.
The ICO Opinion on LFR reminds us that existing data privacy laws provide a framework which law enforcement agencies should follow before deploying LFR. This includes Part 3 DPA 2018 (designed to implement the EU Law Enforcement Directive) and, in particular, the ICO focuses on the requirement for a controller, amongst other things, to demonstrate under Part 3 DPA 2018: (i) that it has a legal basis to justify the use of LFR (which could be for law enforcement purposes); (ii) that (in the absence of consent) the use of LFR is strictly necessary for the law enforcement purpose to which it relates; and (iii) that it has an appropriate policy document in place at the time of processing (explaining how the process complies with data protection principles and the controller’s policies in relation to retention and erasure). The ICO would also expect controllers to complete Data Protection Impact Assessments prior to their use of LFR given that LFR involves the processing of biometric data.
The ICO highlights (particularly in the light of Bridges and any subsequent appeal) that it will keep the use of LFR under review, with a view to addressing developments in this area. The ICO also recommends the publication of an LFR code of practice (similar to the existing Surveillance Camera Code issued under the Protection of Freedoms Act 2012) and intends to work with relevant stakeholders to implement this.
The ICO Report and Opinion on LFR potentially impact both the public and private sectors. Law enforcement agencies as well as private enterprises using and developing LFR products and services may wish to take note of the apparent direction of travel with respect to regulation in this space.