A ban on facial recognition by EU AI law could actually reduce the protections against biometric surveillance offered by existing national laws, the General Data Protection Regulation (GDPR) and the Privacy Directive. law enforcement, according to expert analysis from the Ada Lovelace Institute.
Written by Lillian Edwards, Professor of Law, Innovation and Society at Newcastle University, the explainer notes that a push for maximum harmonisation, combined with the lack of focus on private spaces, the application of law and online spaces, could lead to less strict regulation in practice.
The analysis is accompanied by a policy briefing and an expert opinion from Edwards, entitled “Regulating AI in Europe: four problems and four solutions”.
The explainer makes nine key points about the law, including the need to understand it in the context of other EU legislation like the Digital Services Act (DSA), the Digital Markets Act (DMA) and the law on digital governance (DGA). The law primarily targets public sector and law enforcement uses of AI, Edwards notes, and includes broad territorial jurisdiction, like the GDPR.
The explainer looks at the impact of the AI law on biometrics, and facial recognition in particular.
Whether or not to include a ban on the use of facial recognition is identified as an area of controversy around the law, but the restrictions are “very limited”, with no reference to forensic or retrospective applications.
“The ‘prohibition’ imposed by law can sometimes be less stringent than existing data protection controls under GDPR and the Law Enforcement Directive (LED),” Edwards writes. “So if the maximum harmonization argument (above) works, the law could actually reduce the protection against biometric surveillance already afforded by existing national laws.”
The document also notes that biometric-based facial analysis or categorization algorithms are categorized as “limited risk,” a lower risk category than biometric identification and verification systems.
The analysis goes on to describe the difference between biometrics designation as “high risk” and biometrics-based categorization as “limited risk”, as well as the requirements that come with these categories and compliance assessments.
Ada Lovelace Institute | AI | AI Law | biometric identification | biometric identifiers | biometrics | data protection | European | facial recognition | GDPR | legislation | regulation | surveillance