Public surveillance biometrics in Europe could be crushed between the EDPS and AI Act

The European Association for Biometrics (EAB) held an ‘Artificial Intelligence Act Workshop’ to inform members about the impact the proposed regional legislation will have on biometrics vendors and deployments across the continent.

Held in cooperation with German biometrics standards body DIN, the event touched on many aspects of the AI Act and featured presentations from more than half a dozen experts, followed by a panel discussion.

Professor Thomas Zielke of Hochschule Düsseldorf spoke about progress being made towards international standards for artificial intelligence. Dr. Oliver Haase of Validate ML gave a presentation on the requirements for high-risk AI systems under the incoming AI Act. Chiara Giovannini or European standards body ANEC spoke about biometrics from the consumer point of view.

EDPS wants exemptions eliminated

Xabier Lareo presented the European Data Protection Supervisor’s stance on remote biometric identification in public places, which is decidedly negative. In addition to direct harm to privacy rights, mass public surveillance can have a chilling effect on rights to freedom of assembly and expression, he argues.

The opposition is qualified, however: “It is not that we are opposing any or all types of biometrics,” Lareo clarifies.

The EDPS’ position is that biometric surveillance in public spaces because it is not necessary or proportionate, but “the limited exemptions to the ban in the proposal of the AI Act still imply mass surveillance” and depart from the transparency principle, Lareo says.

He cautions against considering the application in terms of technology performance or biometric accuracy, as the necessity and proportionality considerations come first.

“I am a computer engineer, and I am far from being a Ludite,” Lareo states. “I use – every day – biometric authentication in my mobile phone and I’m very happy with it. I can also foresee lawful use cases for biometric identification; however, I do not believe that all technologies are desirable.”

Some technologies, like research on human embryos, are considered undesirable regardless of what the potential benefits. Possible gains are, on this view, not sufficient to establish necessity.

Lareo argues that law enforcement efforts in Europe are largely successful, citing the region’s relatively low crime rate.

The AI Act’s provision on remote biometrics in public spaces is limited in scope to law enforcement purposes, but the EDPS believes it should also address uses such as private security and COVID restriction enforcement.

Lareo also raises the possibility of mission-creep once ID infrastructure is set up, including for the uses which are exempted from the public remote biometrics ban in the AI Act, like finding missing children or preventing imminent terrorist attacks.

The requirements for transparency under the AI Act also raise some thorny practical questions. How are the operators of a system in a public space, which could be any one of many law enforcement groups, supposed to notify all potential data subjects of the use of facial recognition or another remote biometric identification technology? It is not reasonable, Lareo points out, to assume that every visitor to a city, or a transport facility in a city, will read a certain website ahead of time to find out whether the public location they visit is under surveillance.

These transparency issues, Lareo says, are “most likely impossible to solve.”

For these reasons, the EDPS seeks revisions to the AI Act to completely ban the use of remote biometrics in public spaces.

During the question-and-answer period, the uncertain status of devices like police body-cameras equipped with biometric capabilities was raised. It is not entirely clear whether this counts as a use of the technology in public spaces, and Lareo admitted he does not have a fixed position on the answer, though the same concerns about necessity and proportionality still apply.

Article Topics

AI  |  AI Act  |  biometric identification  |  biometrics  |  data protection  |  EAB  |  EU  |  European Association for Biometrics  |  law enforcement  |  legislation  |  privacy  |  regulation  |  standards