UK biometric surveillance exists in ‘legal grey area’
The rapid proliferation of ‘biometric mass surveillance technologies’ throughout the UK’s public and private sectors is taking place without legal certainty or adequate safeguards for the public
The UK’s patchwork approach to regulating biometric surveillance technologies is “inadequate”, placing fundamental rights at risk and ultimately undermining public trust, says the Ada Lovelace Institute (ALI).
As UK public and private organisations rapidly expand their use of various biometric surveillance technologies, an analysis by the ALI has found that “significant gaps and fragmentation” in the existing governance frameworks for these tools means people’s rights are not being protected.
While the Ada Lovelace Institute’s analysis focused primarily on deficiencies in UK policing’s use of live facial recognition (LFR) technology – which it identified as the most prominent and highly governed biometric surveillance use case – it noted there is a need for legal clarity and effective governance for “biometric mass surveillance technologies” across the board.
The urgent need for comprehensive regulation also extends to other forms of facial recognition, including retrospective or operator-initiated, which have so far received less public attention and regulatory oversight than LFR despite their “active use” by UK police.
“Our legal analysis shows that the UK’s current ‘diffused’ governance model falls short of ensuring the proportional, accountable and ethical use of biometrics. Police use of LFR is the most highly governed biometrics application in the UK and yet does not meet the bar of a ‘sufficient legal framework’,” said ALI, adding that the clear inadequacy of the current approach means other use cases, particularly on the private sector side, have even less effective governance and oversight.
“The range of impacts presented by this growing use cannot be managed effectively without a centralised governance model: a clear, coherent legal framework and a dedicated, independent regulatory body, responsible for managing current technologies and anticipating future developments.
“Importantly, this framework must be comprehensive across use cases – covering police use, private sector surveillance and inferential biometric systems to meaningfully mitigate risks to around privacy and discrimination, and ensure accountability.”
The ALI said a piecemeal approach developed in the wake of Bridges versus South Wales Policein August 2020– the UK’s only case law on LFR to date – in which the Court of Appeal ruled the force’s use of the technology to be unlawful. It specifically highlighted “fundamental deficiencies” in the legal framework, noting that “too much discretion” was given to individual officers, and that criteria about where to deploy and who to include in watchlists was unclear.
The ALI said while “a fragmented patchwork of voluntary guidance, principles, standards and other frameworks has been developed by regulators, policing bodies and government” to control police LFR use since the ruling, the documents taken together largely fail to address the concerns of the court.
Specifically, the ALI highlighted an ongoing lack of clarity around the necessity and proportionality of any given LFR deployment, as well as a lack of clear criteria for developing and deploying watchlists.
The ALI added that although “high-level police guidance and local police policies” address different concerns, the “diffused” governance model has created gaps that are not being filled. “Responsibility for developing and implementing each policy or piece of guidance is delegated across a range of relevant actors, including regulators, policing bodies and central government, and no formal incentives to monitor or report on implementation and compliance exist,” it said.
Widening the discussion
However, the ALI was clear that while much of the public discussion has so far focused on police LFR, the risks posed by biometric surveillance technologies are not limited to a single sector or use case, and instead arise from the combined effects of increasingly widespread deployment, opaque processes, and the growing use of sensitive data to make inferences, predictions and decisions about people by a range of actors.
“Only a comprehensive approach can close loopholes, keep pace with technological developments, and safeguard public trust in how biometric systems are used,” it said, specifically noting that any biometrics regulation limited to police LFR alone could create “perverse incentives for outsourcing law enforcement responsibilities” to companies with fewer governance obligations and incentives to uphold rights.
There is no specific law providing a clear basis for the use of live facial recognition and other biometric technologies that otherwise pose risks to people and society
Nuala Polo, Ada Lovelace Institute
“There is no specific law providing a clear basis for the use of live facial recognition and other biometric technologies that otherwise pose risks to people and society. In theory, guidance, principles and standards could help govern their use, but our analysis shows that the UK’s ad hoc and piecemeal approach is not meeting the bar set by the courts, with implications for both those subject to the technology, and those looking to use it,” said Nuala Polo, UK public policy lead at the ALI.
She added that while police and other organisations claim their deployments are lawful under existing duties, these claims are almost impossible to assess without retrospective court cases.
“It is not credible to say that there is a sufficient legal framework in place. This means the rapid roll-out of these technologies exists in a legal grey area, undermining accountability, transparency and public trust – while inhibiting deployers alive to the risks from understanding how they can deploy safely,” said Polo. “Legislation is urgently needed to establish clear rules for deployers and meaningful safeguards for people and society.”
To alleviate the issues identified, the ALI outlined a number of policy recommendations for the UK government, including risk-based legislation analogous to the European Union’s Artificial Intelligence Act, which would tier legal obligations depending on the risk level associated with a given biometric system, and specify new safeguards in law, such as transparency requirements and mandated technical standards.
It also recommended adopting a definition of biometrics as “data relating to the physical, physiological or behavioural characteristics of a natural person” so that both existing and new forms of biometric surveillance are captured, and establishing an independent regulatory body to oversee and enforce any new legal framework.
“Task the independent regulatory body, in collaboration with policing bodies, to co-develop a code of practice that outlines deployment criteria for police use of facial recognition technologies, including live, operator-initiated and retrospective use,” it said. “This code of practice should address the ambiguity and subjectivity of criteria within current guidance and ensure consistency across police deployments.”
Computer Weekly contacted the Home Office about the ALI report, as well as the repeated calls for biometric regulation from Parliament and civil society groups over the years.
“Facial recognition is an important tool in modern policing that can identify offenders more quickly and accurately, with many serious criminals having been brought to justice through its use,” said a Home Office spokesperson.
“All police forces using this technology are required to comply with existing legislation on how and where it is used, and we will continue to engage publicly about the use of this technology and the safeguards that accompany it. We will set out our plans for the future use of facial recognition technology, alongside broader policing reforms, in the coming months.”
Previous calls for biometric regulation
Both Parliament and civil society have made repeated calls for new legal frameworks to govern UK law enforcement’s use of biometrics.
All police forces using [LFR] technology are required to comply with existing legislation on how and where it is used... We will set out our plans for the future use of facial recognition technology, alongside broader policing reforms, in the coming months
Home Office spokesperson
However, while most of these focused purely on police biometrics, the Ryder review in particular also took into account private sector uses of biometric data and technologies, such as in public-private partnerships and for workplace monitoring.
In a short follow-up inquiry, this time looking exclusively at facial recognition, the JHAC found that police are expanding their use of LFR without proper scrutiny or accountability, despite lacking a clear legal basis for their deployments. The committee also specifically called into question whether LFR is even legal.
The committee added that, looking to the future, there is a real possibility of networked facial recognition cameras capable of trawling entire regions of the UK being introduced, and that there is nothing in place to regulate this potential development.
Despite myriad calls for a new legislative framework from different quarters, government ministers have claimed on multiple occasions that there is a sound legal basis for LFR in the UK, and that “a comprehensive network of checks and balances” already exists.
Read more about biometric technologies
Essex Police discloses ‘incoherent’ facial recognition assessment: An equality impact assessment of Essex Police live facial recognition deployments is plagued by inconsistencies and poor methodology, undermining the force’s claim that its use of the technology will not be discriminatory.
Met Police to deploy permanent facial recognition tech in Croydon: The Met Police is set deploy permanent live facial recognition cameras on street furniture in Croydon from summer 2025, but local councillors say the decision – which has taken place with no community input – will further contribute the over-policing of Black communities.
UK data regulator should investigate police cloud deployments: The Scottish biometrics commissioner has called for the UK Information Commissioner’s Office to formally investigate whether Police Scotland’s cloud-based evidence sharing system is fully compliant with data protection laws.
