EU’s provisional AI Act deal limits remote biometrics use after marathon negotiation

After a three-day marathon negotiation, the European Union has finally reached a provisional agreement on the Artificial Intelligence Act.

Late Friday, the European Council and Parliament settled their disputes on the first major framework governing AI, including the use of biometric surveillance by law enforcement, which proved one of the largest stumbling blocks. The final agreement also bans some kinds of biometric categorization and makes online images off-limits for facial recognition databases.

“It was long and intense, but the effort was worth it,” the AI Act’s co-rapporteur Brando Benifei says in a statement.

Despite some lawmakers arguing for a complete ban, negotiators agreed to allow law enforcement the use of remote biometric identification  (RBI) systems in public spaces, under certain conditions. The technology can be deployed with approval from courts and for a strictly defined list of crimes.

Retrospective biometric surveillance can be used strictly for targeted searches of people who are convicted or suspected of serious crimes. Live facial recognition surveillance is limited to certain times and locations and only to search for victims of abductions and trafficking, for terrorism prevention and to search for people suspected of committing serious crimes.

The deal represents a departure from the position the European Parliament adopted in June when lawmakers voted to support a full ban on real-time biometric surveillance.

Aside from biometric surveillance, technologies such as generative AI have also presented a stumbling block. The current deal mandates that foundation models such as ChatGPT and general purpose AI systems (GPAI) comply with transparency obligations before hitting the market.

Business groups criticize heavy compliance burdens

The AI Act also details how businesses can authorize high-risk AI systems to gain access to the EU market. While the EU argues that the draft deal makes it less burdensome, business organizations are arguing the opposite

“The final text largely departs from the sensible risk-based approach proposed by the Commission, which prioritized innovation over overly prescriptive regulation,” the Computer & Communications Industry Association (CCIA Europe) says in a statement.

“The agreed AI Act imposes stringent obligations on developers of cutting-edge technologies that underpin many downstream systems, and is therefore likely to slow-down innovation in Europe,” the group says, adding that the agreement lacks important details.

Business group DigitalEurope has also criticized the rules noting that for a startup of 50 people, compliance would cost around 300,000 euros (US$322,400).

“The new requirements – on top of other sweeping new laws like the Data Act – will take a lot of resources for companies to comply with, resources that will be spent on lawyers instead of hiring AI engineers”

Risks to human rights remain

The final list of bans on AI applications is longer than in the Commission’s original proposal, including biometric categorization systems that use sensitive characteristics, such as political, religious, sexual orientation and race. Untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases was also banned, and so was emotion recognition in the workplace and educational institutions.

Digital rights groups, however, warn that the current agreement introduces many loopholes that put rights at risk, including allowing AI developers to have a say in whether their systems count as high-risk.

“The EU Parliament managed to introduce a number of key safeguards to improve the original draft text, but Member States still decided to leave people without protection in situations where they would need it most,” rights organization Algorithm Watch says in a statement.

The Friday provisional deal paves the way for the final deal which may be adopted by both Parliament and Council by the end of the year.

Article Topics

AI Act  |  biometric identification  |  biometrics  |  EU  |  legislation  |  remote biometrics  |  surveillance