How does the EU AI Act address biometric identification, and how do its provisions compare to those of the GDPR regarding biometric data?
Biometric identification encompasses a variety of methods for verifying an individual’s identity. It can be utilized for various purposes, such as user authentication (e.g., unlocking smartphones) or verification at border crossings by matching a person’s identity with their travel documents (one-to-one matching). Additionally, biometric identification can be applied remotely, enabling the identification of individuals within a crowd by comparing their image against a database (one-to-many matching). The accuracy of facial recognition systems can vary significantly, influenced by factors like camera quality, lighting conditions, distance from the subject, the database used, the specific algorithm employed, and even the subject’s ethnicity, age, and gender. This applies similarly to other biometric systems, such as gait and voice recognition. While advanced systems are constantly improving, reducing false acceptance rates, even a seemingly high accuracy rate of 99% can be concerning if it leads to the suspicion of an innocent person. When dealing with large populations, even a 0.1% error rate can have significant consequences.
EU AI Act limits real-time remote facial recognition in public spaces by law enforcement, except for specific crimes
The EU AI Act prohibits the use of real-time remote biometric identification (facial recognition) for law enforcement in publicly accessible spaces, except in specific cases. These cases include activities related to 16 specified crimes, as well as targeted searches for specific victims, and prevention of threats to persons or terror attacks. The list of 16 crimes includes terrorism, trafficking in human beings, child sexual exploitation, illicit drug and weapon trafficking, and other serious offenses.
Remote biometric identification and post remote biometric identification require prior judicial or administrative authorization and notification of relevant authorities.
Real-time remote biometric identification by law enforcement authorities would be subject to prior authorization by a judicial or independent administrative authority whose decision is binding. In cases of urgency, authorization can be done within 24 hours; if the authorisation is rejected, all data and output needs to be deleted. Prior fundamental rights impact assessment is required, and the relevant market surveillance authority and data protection authority must be notified. In urgent cases, the system may be used without registration. For post remote biometric identification (identification of persons in previously collected video material) of persons under investigation, usage of AI systems requires prior authorization by a judicial or independent administrative authority and notification of the data protection and market surveillance authority.
The EU AI Act and GDPR align in biometric identification with regard to informed consent, prohibited uses, and security.
The EU AI Act and GDPR provisions on biometric identification share several similarities. Both regulations require organizations to obtain informed consent from individuals before collecting and processing their biometric data. They prohibit the processing of biometric data for certain purposes, such as mass surveillance or discriminatory practices, and impose strict security measures to protect biometric data from unauthorized access, use, or disclosure.
The EU AI Act focuses on biometric identification systems with specific purpose limitations for biometric data processing, risk assessment requirements and other obligations, while the GDPR has a broader scope.
However, there are also some key differences between the two regulations. The EU AI Act pertains specifically to biometric identification systems, whereas the GDPR applies more broadly to the processing of biometric data in general. The EU AI Act imposes more specific purpose limitations on the processing of biometric data for identification purposes. It requires organisations to conduct a thorough risk assessment prior to deploying biometric identification systems, and imposes additional transparency and accountability obligations on organisations that utilise biometric identification systems.
The EU AI Act and GDPR regulate biometric identification, working together to balance innovation and individual rights.
The EU AI Act and the GDPR work in tandem to create a comprehensive framework for regulating biometric identification and data processing in the EU. The EU AI Act specifically addresses the use of biometric identification technologies, and imposes additional requirements, explicitly prohibiting any possible discriminatory or oppressive purposes for biometric identification. Together, these regulations strike a delicate balance between creating a platform for innovation and safeguarding individual rights, ensuring that biometric identification is used ethically and responsibly. The EU’s approach serves as a model worldwide, showcasing its commitment to responsible AI development and data protection. The EU AI Act, like the GDPR, provides a roadmap for other countries to follow in addressing the ethical and legal challenges posed by biometric identification technologies.