On 11 February 2026 we submitted a formal response to the Home Office consultation on a new legal framework for law enforcement use of biometrics, facial recognition, and similar technologies (DEP2025-0828). This is a condensed version of the substantive argument.
The legal bottom line is this:
Mass biometric surveillance of public spaces without judicial pre-authorisation, statutory basis, or adequate equality protections is incompatible with ECHR Articles 8, 10, 11, and 14, Data Protection Act 2018 Part 3 principles of strict necessity and proportionality, and the Public Sector Equality Duty under the Equality Act 2010 s.149.
Governance by fait accompli
Parliament has never voted on facial recognition. No UK statute mentions it by name. And yet:
- Fifty surveillance vans have been funded.
- Permanent cameras have been installed.
- Passport database searches against the live FR system are running at 25,000+ per month.
- All of this is operational before this consultation closes.
The infrastructure of mass facial recognition is being built in advance of the law that would authorise it. This is not the order in which constitutional democracies build coercive state power.
The bias data is now public
The government’s own data, published in National Physical Laboratory (NPL) reports in December 2025, demonstrates a 138-fold racial disparity in false positive rates for the algorithm currently processing those 25,000 monthly searches.
The government has procured an unbiased alternative (IDEMIA, 0% FPR at operational thresholds). It has not deployed it.
Police forces successfully lobbied to reverse bias-correction measures when those measures reduced match rates.
This is not a technology problem awaiting a technical solution. It is a policy choice — currently — to maintain a racially discriminatory system because correcting it would reduce arrest output. The Public Sector Equality Duty under s.149 of the Equality Act 2010 is engaged squarely.
The legal framework gap
The proposals fail several core rule-of-law and data-protection requirements:
Wrong statutory home. Live FR by police is law-enforcement processing — DPA 2018 Part 3, not the UK GDPR. The competent-authority framework imposes stricter necessity and proportionality tests. The consultation papers do not adequately ground their analysis in Part 3.
No PACE-equivalent threshold for FR-triggered stops. An algorithmic alert is not a “reasonable suspicion” basis for a stop under the Police and Criminal Evidence Act 1984. Treating it as one collapses a foundational protection of English criminal procedure.
No enforceable technical assurance. Vendor transparency, privacy-by-design controls, model attestation, and independent audit access are all absent from the proposed framework.
No judicially reviewable remedies. When the system gets it wrong — and on a 138x disparity it will get it wrong — there is no time-bounded, individual path to correction or compensation.
What we asked the government to do
We made eight asks. Four are essential, four are fallback safeguards if expansion proceeds.
Essential:
- Halt expansion until Parliament has specifically legislated on facial recognition, providing democratic mandate.
- Withdraw the discriminatory algorithm. Deploy the unbiased alternative the government has already procured. Restore the bias-correction measures that were reversed.
- Statutory pre-authorisation by senior judge for any live FR deployment, with published reasons.
- Ban retrospective FR searches against the passport database absent specific PACE threshold and judicial warrant.
Fallback if expansion proceeds:
- Statutory definition of “deployment” including all retrospective database searches.
- Mandatory NPL-equivalent independent testing every six months, with public results, gated on a bias bound.
- Mandatory custody-record fields capturing whether FR triggered the stop, the match score, and the demographic-disaggregated outcome.
- Two-year sunset clause on any framework legislation, with parliamentary review.
The convergence with digital ID
The 2026 Home Office FR consultation and the 2026 Cabinet Office digital identity consultation (CP 1498) draw on the same underlying biometric infrastructure. Passport, DVLA, and immigration databases anchor both. Without a statutory firewall, identity verification and police biometric search become indistinguishable downstream uses of the same lookup table.
Our digital ID consultation response treats this as the single most important safeguard: no national identity database may be used to train, seed, or query an FR system absent specific judicial pre-authorisation.
Evidence governance
Throughout the submission we applied a strict evidence-governance protocol: primary-sourced claims are stated affirmatively; media-reported claims are explicitly qualified; source confidence is rated; vendor data is cited to operator filings where available, to investigative journalism where not.
This is not a stylistic choice. Consultation responses that survive judicial review do so because their factual base survives adversarial scrutiny. We wrote ours as if it would be cited in litigation, because on a 138x disparity it eventually will be.
What comes next
The consultation closed on 12 February 2026. We expect a written response from the Home Office in due course. In the interim, we are tracking deployment, NPL test results, custody-record practice, and any indication of statutory intent.
If you operate a service or platform whose users may be affected by police FR — and if your service uses biometric verification of any kind, that is more of you than you think — get in touch. We do consultancy on biometric processing under DPA 2018 Part 3 and on privacy-preserving alternatives to identity verification.
The full 1,134-line submission is on file with the Home Office. Cosmo Codex Ltd, Company No. 16627148, is a UK privacy-first technology company. This submission was authored by the CEO, an IAPP Fellow of Information Privacy.