FLOCKWATCH / INTERNATIONAL

International Comparison

How the UK ANPR regime, EU GDPR, and US ALPR patchwork differ on retention, oversight, purpose limitation, and data subject rights.

UK ANPREU GDPRUS patchwork

The United States has no comprehensive federal ALPR statute. Other democracies have built stronger governance frameworks for the same technology.

UK: centralized oversight

The UK operates a national ANPR (Automatic Number Plate Recognition) system under centralized Home Office governance. Key features:

  • National strategy with defined policing purposes (counter-terrorism, serious organized crime, major crime)
  • Retention defaults generally shorter than US commercial equivalents
  • Office of Surveillance Commissioners historically provided independent oversight of surveillance powers
  • Biometrics and Surveillance Camera Commissioner provides statutory scrutiny of camera systems including ANPR
  • Explicit data-subject rights under the UK GDPR and Data Protection Act 2018

The UK system is not perfect — civil-society groups including Big Brother Watch and Liberty have documented over-retention and purpose creep — but the governance architecture exists. There are statutory commissioners with investigative authority, not just vendor self-reporting.

EU: GDPR applies to ALPR

Under GDPR, license plate data is personal data. Processing it triggers Article 6 lawful-basis requirements:

  • Purpose limitation must be explicit and narrow (Article 5(1)(b))
  • Data minimization prohibits dragnet collection beyond what is necessary (Article 5(1)(c))
  • Storage limitation requires defined retention with justification (Article 5(1)(e))
  • Data subject rights include access, rectification, erasure, and objection (Articles 15-21)
  • DPIAs (Data Protection Impact Assessments) are required for large-scale systematic monitoring (Article 35)

Several EU member states have ANPR deployments, but they operate under these constraints. The Dutch, German, and French systems have been challenged in national courts and refined under GDPR pressure. None has the open-ended retention and nationwide commercial sharing model that characterizes the US market.

US: the patchwork

The United States combines:

  • No federal ALPR statute — no national retention limit, no national purpose limitation, no data-subject access right
  • State-by-state regulation ranging from New Hampshire's 3-minute purge to no limit at all
  • Commercial vendor control over network configuration defaults — Flock has been caught enabling nationwide sharing without the city's knowledge (FW-019)
  • Constitutional doctrine that treats single observations as non-searches but has not resolved aggregated historical query at scale (the Norfolk ruling (FW-023) is the first trial-court decision to treat ALPR data collection as a Fourth Amendment search)

Comparative table

FeatureUS (federal)US (strongest state)UK ANPREU (GDPR)
Comprehensive statuteNoneCA / WA SB 6002Yes (Home Office)Yes (GDPR)
Retention limitNone3 min (NH) to 90 days (NC)Defined by strategyJustified by purpose
Purpose limitationNoneWA SB 6002Counter-terror, serious crimeArticle 5(1)(b)
Data subject accessNoneNone statutoryDPA 2018GDPR Arts 15-21
Independent oversightNoneNone statutorySCC / OSCDPA / DPO
Vendor self-certificationCommonAddressed in CA/WANoNo
Warrant for historicalNoneWA (private data only)VariesArticle 8 ECHR

The structural lesson is that the US has delegated ALPR governance to the market — vendors configure defaults, agencies buy subscriptions, and regulation follows harm rather than preceding it. The UK and EU models regulate first, deploy second.

Read the state regulation comparison - Read the legal analysis