Facial Recognition Drones in the UK
Quick Answer: Using facial recognition technology on drones in the UK is subject to some of the strictest data protection rules in British law. Biometric data, including facial recognition templates, is classified as special category data under Article 9 of the UK GDPR. Processing it requires meeting one of a limited set of conditions, and the bar is exceptionally high. For most private and commercial drone operators, deploying facial recognition from a drone would be extremely difficult to justify lawfully.
Why Facial Recognition Is a Special Case
Not all drone footage raises the same legal concerns. Standard aerial photography that incidentally captures people engages ordinary data protection rules. However, the moment a drone system processes images through facial recognition software to identify specific individuals, a fundamentally different legal regime applies.
Under Article 9 of the UK GDPR, biometric data processed for the purpose of uniquely identifying a natural person is classified as special category data. This category receives the highest level of protection in UK data protection law, alongside data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and data concerning a person's sex life or sexual orientation.
The general rule under Article 9(1) is that processing special category data is prohibited. Processing is only permitted where one of the specific conditions listed in Article 9(2) applies. This is a significant departure from the processing of ordinary personal data, where operators have six available lawful bases under Article 6.
The Lawful Bases: A Narrow Set of Options
For most drone operators considering facial recognition, the relevant conditions under Article 9(2) are extremely limited:
- Explicit consent (Article 9(2)(a)) — Each individual whose face would be scanned must give explicit, informed consent. In a public space, obtaining advance consent from every person who might pass through the drone's field of view is practically impossible.
- Substantial public interest (Article 9(2)(g)) — This must be supported by a condition in Schedule 1 of the Data Protection Act 2018. The conditions are narrow and primarily relate to law enforcement, safeguarding, and regulatory activities.
- Law enforcement purposes — Police and other competent authorities have a separate regime under Part 3 of the DPA 2018, which permits biometric processing for law enforcement purposes subject to strict safeguards.
The legitimate interests basis that many drone operators rely on for ordinary footage under Article 6(1)(f) is not available for special category data. There is no legitimate interests condition in Article 9(2). This single fact makes facial recognition from commercial or recreational drones exceptionally difficult to justify.
The Bridges Case: A Landmark Ruling
The leading UK case on automated facial recognition is R (Bridges) v South Wales Police [2020] EWCA Civ 1058. In this case, the Court of Appeal held that South Wales Police's use of automated facial recognition technology was unlawful. The court found deficiencies in three key areas:
- The legal framework governing where and when AFR could be deployed was insufficiently clear
- The force had not taken reasonable steps to assess whether the software exhibited bias on grounds of race or sex, as required by the public sector equality duty under section 149 of the Equality Act 2010
- The data protection impact assessment was inadequate
If a police force with substantial resources and legal authority could not satisfy the courts that its AFR programme was lawful, the implications for private drone operators are significant. The judgment made clear that any deployment of facial recognition technology demands rigorous legal justification, thorough impact assessment, and robust safeguards against bias and misuse.
Data Protection Impact Assessment: Mandatory, Not Optional
Article 35 of the UK GDPR requires a Data Protection Impact Assessment whenever processing is likely to result in a high risk to the rights and freedoms of individuals. The ICO has published a list of processing operations that require a DPIA, and the use of biometric data for identification purposes is explicitly included.
For any organisation contemplating facial recognition on a drone, a DPIA is not just advisable but legally required. The assessment must:
- Describe the nature, scope, context, and purposes of the processing
- Assess the necessity and proportionality of the processing in relation to the purposes
- Assess the risks to the rights and freedoms of data subjects
- Identify the measures to address those risks, including safeguards, security measures, and mechanisms for demonstrating compliance
If the DPIA identifies a high risk that cannot be mitigated, the organisation must consult the ICO before proceeding under Article 36. The ICO has the power to prohibit the processing.
Law Enforcement: A Separate Framework
Police forces and other competent authorities operate under Part 3 of the Data Protection Act 2018, which transposes the EU Law Enforcement Directive into UK law. This framework permits the processing of biometric data for law enforcement purposes, subject to conditions including strict necessity and the authorisation of an appropriate officer.
Even within this framework, the use of facial recognition on drones by law enforcement remains controversial. Following the Bridges decision, any police deployment of drone-based AFR would need to demonstrate clear policies on where, when, and against which watchlists the technology would be used, a rigorous equality impact assessment, and a fully compliant DPIA.
Private security firms and commercial operators cannot rely on the law enforcement framework. Their use of facial recognition drones would need to meet the higher bar of Article 9(2) conditions applicable to private sector processing.
Common Misconceptions
Misconception: If it is in a public place, you can use facial recognition freely. Being in a public space does not eliminate a person's data protection rights. The UK GDPR applies to any processing of personal data regardless of location. Public spaces may reduce the reasonable expectation of privacy in some contexts, but biometric processing remains subject to Article 9 regardless.
Misconception: Anonymisation makes facial recognition permissible. If the system processes facial images through recognition algorithms before anonymising the output, the processing of biometric data has already occurred. The Article 9 restrictions apply at the point of processing, not at the point of output.
Misconception: Consent signs are sufficient. Unlike ordinary CCTV, where signage contributes to transparency, facial recognition requires explicit consent under Article 9(2)(a). A sign stating that facial recognition is in use does not constitute explicit consent from each individual captured.
Practical Guidance for Drone Operators
Given the current legal landscape, drone operators should approach facial recognition with extreme caution:
- Do not deploy facial recognition software on drone-captured footage without first obtaining specialist data protection advice and completing a full DPIA
- If you are a commercial operator, review whether your intended use case can genuinely meet one of the Article 9(2) conditions
- Consider whether your objective can be achieved through less intrusive means, such as standard video surveillance without biometric processing
- If your drone captures high-resolution footage of faces for purposes other than identification, ensure your processing systems do not inadvertently create biometric templates
- Monitor ICO guidance and case law developments, as the regulatory position on facial recognition technology continues to evolve
Looking Ahead
The UK government has signalled interest in establishing a clearer statutory framework for facial recognition technology. The Biometrics and Surveillance Camera Commissioner has called for dedicated legislation. Until such legislation materialises, drone operators must navigate the existing patchwork of UK GDPR provisions, DPA 2018 conditions, and case law.
For the vast majority of private and commercial drone operations, the safest and most practical position is clear: do not use facial recognition technology on your drone unless you have an unambiguous legal basis, a completed DPIA demonstrating proportionality, and robust measures to protect individuals' rights.
Check your flight plan instantly with MmowW Drone — the compliance companion built by a Gyoseishoshi.
Start Free — Your Drone, Legally Clear 0 setup fees · cancel anytime · BigMac Price forever