Judgment Approved by the court for handing down.
R (Bridges) -v- CC South Wales & ors
AFR might be perceived as being privacy intrusive in the use of biometrics and facial
recognition and that Article 8 of the Convention was relevant. It sought to explain that
AFR would only avoid being in breach of Article 8 if it was necessary, proportionate,
in pursuit of a legitimate aim and in accordance with the law but that all those
requirements would be satisfied if AFR Locate was used in the manner set out. The
DPIA explained how AFR Locate operates. It is obvious from that explanation that
large numbers of the public would be caught through CCTV cameras used in the
deployment. It specifically stated that: “It is the intention during each deployment to
allow the AFR application to enrol and therefore process as many individuals as
possible”. That the public at large was potentially affected was reflected in the
statement that: “in order to ensure that the public are engaged in the use of the
technology every opportunity has been taken to demonstrate its use, to include during
Automated Facial Recognition deployments”.
152.
This Ground of Appeal is, however, correct insofar as it states that the DPIA proceeds
on the basis that Article 8 is not engaged or, more accurately, is not infringed. We have
found, when considering Ground 1 above, that AFR Locate fails to satisfy the
requirements of Article 8(2), and in particular the “in accordance with the law”
requirement, because it involves two impermissibly wide areas of discretion: the
selection of those on watchlists, especially the “persons where intelligence is required”
category, and the locations where AFR may be deployed.
153.
The inevitable consequence of those deficiencies is that, notwithstanding the attempt
of the DPIA to grapple with the Article 8 issues, the DPIA failed properly to assess the
risks to the rights and freedoms of data subjects and failed to address the measures
envisaged to address the risks arising from the deficiencies we have found, as required
by section 64(3)(b) and (c) of the DPA 2018.
154.
For those reasons, we will allow the appeal on this ground.
Ground 4: Compliance with section 42 of the DPA 2018
155.
The Appellant submits that one of the reasons why the use of AFR involves the
unlawful processing of personal data is because SWP has failed to satisfy the
requirements of the first data protection principle in section 35 of the DPA 2018. The
Divisional Court held that the processing was for law enforcement purposes and was
sensitive processing within section 35(3). In the circumstances of the present case, this
meant that the processing had to satisfy the requirements in section 35(5), which
included (in section 35(5)(c)) that, “at the time when the processing is carried out, the
controller has an appropriate policy document in place”. Section 42 of the DPA 2018
sets out what such a document must contain.
156.
As stated earlier, before the Divisional Court SWP relied on the November 2018 Policy
Document. The Divisional Court thought that it was open to question whether that
document, as then drafted, fully met the standard required by section 42(2) and said that
ideally it should be more detailed. In paragraph [141] of their judgment, which we have
quoted in full above, the Divisional Court said that the development and specific
content of the document was, for the time being, better left for reconsideration by SWP
in the light of further guidance from the Information Commissioner.