Ada Lovelace analysis suggests EU AI Act could curtail biometrics regulation

A ban on facial recognition by the EU AI Act could actually reduce protections against biometrics surveillance afforded by existing national laws, the General Data Protection Regulation (GDPR) and the Law Enforcement Directive, according to an expert analysis from the Ada Lovelace Institute.

Written by Newcastle University Professor of Law, Innovation and Society Lillian Edwards, the explainer notes that a push for maximum harmonization, combined with the lack of scope over private spaces, law enforcement and online spaces, could result in less-stringent regulation in practice.

The analysis is accompanied by a policy briefing and an expert opinion from Edwards, titled ‘Regulating AI in Europe: four problems and four solutions.’

The explainer makes nine key points about the Act, including the need to understand it in the context of other EU legislation like the Digital Services Act (DSA), the Digital Markets Act (DMA) and the Digital Governance Act (DGA). The Act is aimed primarily at public sector and law enforcement uses of AI, Edwards notes, and includes expansive territorial jurisdiction, like GDPR.

Biometrics implications

The explainer delves into the impact of the AI Act on biometrics, and facial recognition in particular.

Whether to include a ban on facial recognition use is identified as an area of controversy around the Act, but the restrictions are “very limited,” without reference to forensic, or retrospective, applications.

“The ‘ban’ imposed by the Act may sometimes be less stringent than existing data protection controls under GDPR and the Law Enforcement Directive (LED),” Edwards writes. “Thus if the maximum harmonisation argument (above) operates, the Act might in fact reduce protection against biometric surveillance already given by existing national laws.”

The document also notes that biometrics-based facial analysis or categorization algorithms are classed as ‘limited risk,’ a lower risk category than biometric identification and verification systems.

The analysis goes on to describe the difference between the designation of biometrics as ‘high risk’ and biometrics-based categorization as ‘limited risk,’ and the requirements that go along with these categories and conformity assessments.

Article Topics

Ada Lovelace Institute  |  AI  |  AI Act  |  biometric identification  |  biometric identifiers  |  biometrics  |  data protection  |  Europe  |  facial recognition  |  GDPR  |  legislation  |  regulation  |  surveillance