Facial recognition in Europe: what’s happening and how can people be protected?

Two new reports aim to establish the status quo of the use of facial recognition in Europe in public places and by law enforcement. They both seek to explore the nuances of the technology and its application, while one is guidance to inform European Union lawmakers on the use of technologies by law enforcement and handling any data captured, the other is the first in a six-part series to bring more examples, use cases and precision to inform the ongoing debate.

Facial recognition technology and its use of AI and machine learning is subject to multiple areas of EU regulation whether already in place or upcoming. There are calls for the AI Act to ban the technology for remote identification in public places, Parliamentary Committees have called for a strengthening of the draft, while analysis by the Ada Lovelace Institute suggests that any ban could in fact reduce protections against biometric surveillance.

Published days apart, the new reports prove (somewhat) complementary and shed more light on a complex situation. Both highlight contradictions in how biometric data is defined, for example by the GDPR and Law Enforcement Directive. As with other work in or by the EU, the reports add to the global discussion on facial recognition deployment.

EDPB guidelines for law makers, law enforcement – facial recognition goes beyond data protection

The European Data Protection Board (EDPB) has put out for public consultation its Guidelines on the Use of Facial Recognition Technology in the Area of Law Enforcement.

The document is principally aimed at politicians at the EU and national level and law enforcement agencies and their officers on the issues of implementing facial recognition systems. They describe the properties peculiar to facial recognition technology and the applicable legal framework. To do this it outlines how the sensitivity of a use case can be classified and provide practical guidance to law enforcement agencies wishing to procure a facial recognition system.

It should be noted that the body takes a hard line on the use of facial recognition. The EDPB is an independent body that ensures the application of GDPR across the European Economic Area. Not to be confused with the European Data Protection Supervisor, EDPS, which is the EU’s independent data protection authority focused more on the bloc’s own institutions.

The two bodies work together and in May 2021 called for a “general ban on any use of AI for an automated recognition of human features in publicly accessible spaces” in a joint opinion on the AI Act. They also called for a ban on categorization, emotion analysis and scraping the internet to create facial image databases.

The guideline seeks to differentiate between face biometrics use for authentication and identification and associated risks. The document contains the many principles for protection such as data minimization, use of data protection impact assessments (DPIA) and logging for databases. It also outlines the contradictions between the Law Enforcement Directives on the use of facial recognition technology and the protection of fundamental rights:

“The use of facial recognition has direct or indirect impact on a number of fundamental rights and freedoms enshrined in the EU Charter of Fundamental Rights that may go beyond privacy and data protection, such as human dignity, freedom of movement, freedom of assembly, and others. This is particularly relevant in the area of law enforcement and criminal justice.”

MAPFRE study Part 1: understanding public facial recognition in the EU and UK

“MAPping the use of Facial Recognition in public spaces in Europe” (MAPFRE) is a project established by the AI-Regulation Chair of the Multidisciplinary Institute in Artificial Intelligence (MIAI) at France’s Université Grenoble Alpes.

It is beginning to publish a series of six reports from the MAPFRE research project into how facial recognition is being used and the related legal issues in the EU and UK by selecting and examining 25 representative cases.

As with the EDPB report, MAPFRE finds that regulating facial recognition and analysis in public places to be a pressing issue for democratic societies. “Curiously, though, the debate about these fundamental questions is taking place in the absence of a profound assessment of how existing European law is being applied to these issues,” writes Theodore Christakis, the project leader, in an article introducing the series.

The project also seeks clarity and precision on the subject to inform discussion.

Part 1 ‘A Quest for Clarity: Unpicking the “Catch-All” Term’ deals with the issue of definitions and the positions adopted by the Members of the European Council and Parliament in the ongoing AI Act drafting.

It explores the arguments for the creation of a distinct set of “biometric-based data” compared to “biometric data,” and the problems with an attempt to make the distinction.

Subsequent installments will examine facial recognition technology in criminal investigations, real-time remote matching, face analysis and “a first ever detailed report on the use of facial recognition for authorisation purposes in public spaces in Europe.”

Article Topics

AI Act  |  biometrics  |  data protection  |  Europe  |  European Data Protection Board (EDPB)  |  face biometrics  |  facial recognition  |  law enforcement  |  MAPFRE  |  regulation  |  video surveillance