Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
where it may be deployed – the Claimant suggested only at places such as
airports, or at large public gatherings such as sporting events; (c) the classes
of persons who may be on a watchlist ��� the Claimant contends that watchlists
should only include “serious criminals at large”; (d) the sources from where
images included in watchlists may be obtained; and (e) clear rules relating to
biometric data obtained through use of AFR Locate – for example as to how
long it may be retained, and the purposes for which such information may (or
may not) be used. In the context of the requirement under section 35(2) of the
DPA 2018 that any processing of personal data must be “based on law”, the
Information Commissioner made a similar submission. Although she did not
seek to limit the categories of persons who might be included on watchlists,
her submission was that the categories of who could be included on a watchlist
needed to be specified by law. She also submitted that the purposes for which
AFR Locate could be used should be specified in law. Her overall submission
was that both any use of AFR Locate, and any decision as to who should be
included on a watchlist, needed to be the subject of “independent
authorisation”.
65.
Mr Squires QC relied upon Lord Kerr’s observation in his dissenting judgment
in Beghal v Director of Public Prosecutions [2016] AC 88 at [102] that:
“ 102. … The fact that a power is exercised sparingly
has no direct bearing on its legality. A power on which
there are insufficient legal constraints does not become
legal simply because those who may not have resort to
it, exercise self-restraint. It is the potential reach of the
power rather than its actual use by which its legality
must be judged.”
66.
He also drew attention to expressions of concern as to the adequacy of the
legal framework governing the use of AFR technology by the police. In his
Annual Report for 2017, the Biometrics Commissioner stated:
“303. Given that [the Protection of Freedoms Act] is
not generic legislation covering all biometrics used by
the police, the use by the police of these second
generation biometrics [which the Commissioner defined
as including facial image matching] is not currently
governed by any specific legislation, other than general
data protection legislation, and only by regulations
drawn up by the police themselves such as the
Management of Police Information principles (MOPI)
drawn up by the College of Policing. It is therefore the
case that technical development and deployment is
running ahead of legislation, which is why the Home
Office’s promised biometric strategy is urgently
needed” (emphasis added)