Government urged to tighten regulation around facial recognition technology

Current legal framework is riddled with fundamental deficiencies, experts say

Data privacy experts are calling on the government to urgently tighten regulation around facial recognition technology, amid growing concerns over its unregulated use by police forces and private companies across the UK.

A report published Thursday by the Ada Lovelace Institute, a leading authority on the ethics of AI, highlights what it describes as “significant gaps and fragmentation across biometrics governance.”

The independent research body is pressing prime minister Keir Starmer’s administration to establish a dedicated regulatory framework to clarify the lawful use of facial recognition and related technologies.

According to the Institute’s findings, the current legal framework is riddled with fundamental deficiencies, expressing serious concerns over the legality of ongoing surveillance practices.

“The highly fragmented nature of biometrics governance makes it very difficult to know if police use of facial recognition technology is lawful,” the report states.

Last year alone, nearly five million faces were scanned by UK police, resulting in over 600 arrests, according to figures obtained by Liberty Investigates.

The technology, which uses AI to match individuals’ facial features against databases in real time, is increasingly being deployed beyond law enforcement, appearing in retail stores, supermarkets, and even football stadiums.

Privacy groups argue that this surge in use is happening in a “legislative void,” making the UK an outlier compared to other democracies.

“Live facial recognition is extremely invasive,” Sarah Simms, senior policy officer at Privacy International, told FT.

“It does require specific safeguards due to the nature of how the technology operates and the implications for people’s human rights.”

The technology’s controversial deployment has already faced legal challenges. In a landmark 2020 ruling, the Court of Appeal found that South Wales Police had violated privacy and data protection laws by using facial recognition.

Yet, campaigners say little has changed since.

Charlie Whelton, policy and campaigns officer at Liberty, said: “The UK is massively behind in regulating facial recognition technology, especially compared to Europe and the US where limits have already been put in place. We’re in a situation where we’ve got analogue laws in a digital age.”

The European Union’s recently passed AI Act places strict limits on the use of live facial recognition in public spaces, while several US states, including California and Massachusetts, have enacted partial or full bans.

Retailers in the UK, however, have moved in the opposite direction, with companies such as Southern Co-op, Budgens, Sports Direct, and most recently Asda, adopting the technology in response to rising incidents of theft and abuse against staff.

A number of these businesses participate in Project Pegasus, a data-sharing scheme that allows police to cross-reference CCTV footage against national databases.

Despite claims that the systems only target known offenders, critics argue the surveillance infringes on civil liberties, with reports of innocent individuals being wrongly flagged as shoplifters.

Dame Diana Johnson, minister for policing, acknowledged the growing unease in Parliament late last year, saying there were “very legitimate concerns” about the technology.

While asserting that facial recognition is already governed under existing human rights and data protection laws, she conceded this month that a bespoke legislative framework may now be necessary.

The report also warns of a new generation of biometric systems claiming to infer emotions, truthfulness, and intentions-technologies that pose even greater ethical and legal challenges.

“The ability to appropriately manage the risks of these technologies has not matured alongside this growing appetite for use,” it states.

Campaigners are now urging the prime minister to act swiftly and decisively.

“The Institute is calling for risk-based legislation covering both the private and public sector, with oversight and enforcement by an independent regulatory body. The proposed legislation should introduce tiered legal obligations based on the risk posed by each biometric system – similar to the EU AI Act – and empower the regulatory body to issue binding codes of practice for different use cases,” the report says.

A spokesperson for the Home Office defended the technology, stating: “Facial recognition is an important tool in modern policing that can identify offenders more quickly and accurately.”

With cyber security continuing to be a major issue for organisations of all kinds, Computing is hosting a webinar next month, offering an answer to the question: Is your security strategy working for or against you? Register here.