EU data watchdog publishes guidelines on facial recognition in policing

As the debates over the AI Act heats up, the European Union’s data protection watchdog has published its final set of guidelines on the use of facial recognition technology in law enforcement.

The European Data Protection Board (EDPB) guidelines are meant to help individual EU states formulate their laws: Each country should provide a legal basis for any form of processing biometric data by law enforcement agencies using facial recognition, according to the document.

The EDPB is in charge of ensuring the European Union’s General Data Protection Regulation (GDPR) is applied in every EU country.

In the new guidelines, the agency adopts a softer approach compared to 2021 when it called for a general ban on any use of automated systems recognizing “gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals” in public spaces. Despite this, the agency still considers remote biometric identification of individuals in public spaces “highly undesirable.” Another application that EDPB does not want in public spaces is the use of facial recognition to infer the emotions of an individual.

Aside from the guidelines, the EDPB provided three annexes to the document, including assessments of hypothetical scenarios in which law enforcement agencies use facial recognition.

Scraping images off the internet to create a database and using facial recognition for riot investigation, for instance, would constitute a disproportionate interference of rights, according to the agency. Automated border control and identifying abducted children, on the other hand, are compatible with EU law.

With a few exceptions, the final guidelines resemble the draft published in May 2022.

The document states that processing of personal data should be done for a specific purpose while the laws should define objectives towards a specific subject, rather than granting general authorization for using facial recognition to maintain order.

“The legal basis must be sufficiently clear in its terms to give citizens an adequate indication of conditions and circumstances in which authorities are empowered to resort to any measures of collection of data and secret surveillance,” the guidelines note.

International law firm Pearl Cohen has highlighted some of the new changes brought by the version 2.0 document:

• In the training and development of facial recognition technologies, personal data may only be processed when there is a lawful and legitimate basis.
• While the scope of the guidelines is limited to technologies for identification purposes, certain aspects of the guidelines may also be used for other types of processing of biometric information by law enforcement authorities.
• Keeping documentation of the operations performed within the system and the relevant procedural steps are of key importance.
• A human in the loop is not considered a sufficient safeguard to protect data subjects’ rights as humans are prone to biases and errors.
• EU countries should ensure that they allocate enough resources to data protection authorities.

Article Topics

biometrics  |  data protection  |  EU  |  European Data Protection Board (EDPB)  |  facial recognition  |  police