United Kingdom: Information Commissioner’s Office released statement on application of data protection law to facial recognition technology

On 13 August 2025, the Information Commissioner’s Office (ICO) released a statement confirming that facial recognition technology (FRT), including live facial recognition (LFR), is subject to data protection law and must be lawful, fair, proportionate, and strictly necessary for law enforcement purposes under Part 3 of the Data Protection Act 2018. The ICO outlined that such processing must have a clearly defined and limited purpose, be supported by key data protection documentation, including a Data Protection Impact Assessment (DPIA) and an Appropriate Policy Document (APD), and demonstrate that no less intrusive means could achieve the same aim while being effective in meeting the specified law enforcement purposes. The ICO emphasised requirements for accuracy, adequacy, relevance, and lawfulness of images used in watchlists, transparency through public information and contact details of the controller, and provision of rights information to individuals. It further highlighted the need for periodic testing and reviews to maintain accuracy and effectiveness and to manage and eliminate bias.