On 11 August 2020, the Court of Appeal ruled against the South Wales Police (SWP) in finding its use of automatic facial recognition (AFR) technology unlawful.

AFR is a way of verifying the identity of an individual through the use of technology. It uses biometrics to map facial features from a photograph or video, then compares the information with a database of known faces to find a match. The SWP employed this technology for approximately three years before Ed Bridges, a resident of Cardiff, and Liberty, a civil rights group, brought a legal challenge.

The case argued that the SWP’s use of AFR Locate caused Mr. Bridges distress on two occasions when his image was captured by the SWP in Cardiff. The matter was previously dismissed by London’s High Court, to which Mr. Bridges appealed on five grounds, maintaining that the technology was an intrusive and discriminatory mass surveillance tool.

The Court of Appeal upheld three of the five points raised in the appeal, ruling:
  1. there was no clear guidance on where AFR Locate could be used and who could be put on a watchlist,
  2. a data protection impact assessment was deficient, and
  3. the force did not take reasonable steps to find out if the software had a racial or gender bias.

Data Protection Impact Assessments (DPIAs)

One important aspect of this ruling is the fact that a court decided that a DPIA was deficient, thus further highlighting the importance of a robust data protection program and expertise within it. A DPIA is a process designed to help organizations systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of an organization’s accountability obligations under the General Data Protection Regulation (GDPR), and when done properly, helps to assess and demonstrate compliance. Organizations are therefore required to carry out DPIAs when processing is likely to result in high risk to the rights and freedoms of individuals.

Data Protection Officers (DPOs) can be appointed to assist an organization assess the impact of a new product by identifying and minimizing data protection risks. A DPO also helps organizations demonstrate compliance by helping them build internal processes and procedures that ensure privacy by design and default. This is an option the SWP could have explored when they thought of using AFR technology.

Due to the important role DPIAs play in an organization, they must be done properly. As shown in this case, an inadequate DPIA can severely jeopardize an organization’s operations. Regardless of whether the SWP’s use of AFR was discriminatory or not, the fact that they did not take reasonable steps to find out is what made the technology unlawful.  With the assistance of a DPO, these steps could have been achieved with a robust DPIA.

Trends often appear in the public domain before migrating to the private sector. Organizations would do well to learn from and avoid the mistakes of public organizations evident in cases such as these. HewardMills is an outsourced DPO service that offers an experienced, multidisciplinary team to help organizations of any jurisdiction or industry meet the highest data protection standards.


Additional blog contributions: Helga Turku, data protection and privacy director and Peter Boaz, data protection and privacy consultant