R (Bridges) v Chief Constable of South Wales Police

The Divisional Court considered whether South Wales Police's use of Automated Facial Recognition (AFR Locate) engaged Article 8 ECHR, complied with data protection law and satisfied the public‑sector equality duty. The court held that AFR processing of facial biometric data engages Article 8 because it involves capture, storage and sensitive processing capable of uniquely identifying individuals, and that such processing also amounts to processing of personal data under the Data Protection Act 1998 and the Data Protection Act 2018. The court accepted the police's common‑law powers to use overt CCTV and related analytic tools, and concluded that the existing legal framework (common law, the DPA 2018, the Surveillance Camera Code and local SWP policies) provided sufficiently accessible and foreseeable safeguards to satisfy the "in accordance with the law" requirement of Article 8(2).

The court applied the Bank Mellat proportionality test and, applying a close standard of scrutiny, concluded that the particular deployments challenged (21 December 2017 and 27 March 2018) were justified, proportionate and did not reveal a systemic proportionality deficit. The court further held that AFR processing constitutes "sensitive processing" under section 35(8)(b) DPA 2018 (biometric data for unique identification) and that SWP's processing met the requirements of section 35(5) as strictly necessary and fitting a Schedule 8 condition, although the adequacy of SWP's November 2018 policy document under section 42(2) was left for the Information Commissioner to clarify. Finally, the court rejected the claim that SWP had breached the public‑sector equality duty in April 2017, finding no evidence that SWP should have foreseen discriminatory inaccuracy at that stage.

The claimant, a civil liberties campaigner, challenged South Wales Police's trial use of Automated Facial Recognition (AFR Locate) in public places. He alleged breaches of Article 8 ECHR (privacy), contraventions of data protection law under the Data Protection Act 1998 and the Data Protection Act 2018 (including failure to carry out a data protection impact assessment), and failure to comply with the public‑sector equality duty (Equality Act 2010 s.149).

Parties and procedure: The case was heard in the Divisional Court (Haddon‑Cave LJ and Swift J). South Wales Police conceded the claimant's standing and, pragmatically, that the claimant was likely to have been in range of the AFR cameras on the two challenged occasions (21 December 2017, Queen Street; 27 March 2018, Motorpoint Arena). The Secretary of State, the Information Commissioner and the Surveillance Camera Commissioner intervened.

Relief sought: Judicial review of the lawfulness of SWP's AFR Locate deployments and the legal framework governing AFR; declaratory relief and other public‑law remedies were sought by the claimant.

Issues:

• Whether AFR Locate interfered with Article 8(1) rights and, if so, whether that interference was "in accordance with the law" and justified under Article 8(2) (necessity and proportionality);
• Whether AFR processing amounted to processing of personal and/or sensitive personal data under the DPA 1998 and the DPA 2018, and whether SWP complied with the first data protection principle (s.4(4) DPA 1998) and the DPA 2018 (s.35, s.42) and the obligation to carry out a data protection impact assessment (s.64);
• Whether SWP breached the public‑sector equality duty by failing to have due regard to possible disparate impacts on protected groups.

Court’s reasoning and conclusions: The court found that AFR Locate processing engages Article 8 because extraction and comparison of facial biometric data constitutes capture and storage of intrinsically private information and can individuate persons even when performed in public. The court rejected the argument that the process was merely the taking of expected public photographs: AFR involves automated biometric feature extraction, template creation and algorithmic comparison, not mere imaging. However, the court held that the police have adequate common‑law powers to deploy overt CCTV and AFR equipment because AFR is not a physically intrusive investigative technique and watchlists are compiled from lawful police records. The applicable legal framework comprises the DPA 2018 (Part 3), the Surveillance Camera Code (Protection of Freedoms Act 2012), and SWP’s operational policies; taken together these provide sufficient accessibility and foreseeability to satisfy the Article 8(2) "in accordance with the law" standard.

On proportionality (Bank Mellat test) the court accepted SWP's legitimate aims (prevention and detection of crime, public safety), found AFR rationally connected to those aims, and concluded that the specific challenged deployments were strictly necessary and proportionate (limited duration, overt deployment, human operator review before intervention). The court held AFR processing of members of the public also falls within the DPA 2018 definition of sensitive processing (biometric data for unique identification) and that the SWP's processing met the strict necessity and Schedule 8 condition tests in s.35(5), while reserving detailed assessment of SWP's s.42 "appropriate policy document" to the Information Commissioner. SWP’s data protection impact assessment was held to be adequate on the facts. Finally, the Equality Act claim failed because SWP had not been on notice in April 2017 that the licensed AFR system was likely to produce unlawful disparate impacts, and SWP continued to review equality issues during the trial.

Outcome: Claim dismissed in all respects. The court emphasised the need for ongoing oversight and review as AFR technology and its deployment evolve.

The claim for judicial review is dismissed. The court held that (1) AFR Locate processing engages Article 8 ECHR but SWP's deployments were "in accordance with the law" because the existing legal framework (common law powers, the Data Protection Act 2018 Part 3, the Surveillance Camera Code and SWP policies) provided accessible and foreseeable rules and safeguards; (2) the contested deployments were strictly necessary and proportionate under the Bank Mellat test; (3) AFR processing constitutes sensitive processing (biometric data for unique identification) under s.35(8)(b) DPA 2018 but SWP's processing met s.35(5) requirements (strict necessity and a Schedule 8 condition), subject to the Information Commissioner's guidance on the adequacy of SWP's section 42 policy document; and (4) SWP did not breach the public‑sector equality duty in April 2017. The court emphasised continued review and oversight as the technology develops.