Real-time remote biometrics banned in EU with final green light for AI Act

The European Union’s Artificial Intelligence Act received a final green light allowing it to become the world’s first major regulation targeting AI. The EU Council gave formal approval to the Act on Tuesday with the legislation expected to enter into force in mid-June and become effective in 2026. Biometrics developers, providers and users take note.

Companies that breach the Act may expect fines from the EU Commission from 7 million euros (US$7.5 million) to €35 million ($38 million) or between 1.5 and 7 percent of their annual global revenues. SMEs and start-ups will be subject to proportional administrative fines.

The implementation of the Act still has a long way to go: General-purpose AI models (GPAI) will have to adopt obligations 12 months after the AI Act comes into force while AI systems in regulated products will have 36 months, according to Reuters.

Since its draft was first published in 2021, the AI Act has instigated heated debates, with human rights organizations criticizing it for inadequate protections and business groups decrying heavy compliance burdens.

The EU reached a provisional agreement on the Act in December 2023 after a three-day marathon negotiation, departing from the position the European Parliament adopted in June of supporting a full ban on real-time biometric surveillance. The technical details of the law were settled at the beginning of February 2024 and it was passed by the European Parliament in March 2024.

The legislation follows a “risk-based” approach, which means AI systems are categorized into different types based on risk with stricter rules applied to systems deemed to bring harm to society.

AI applications with unacceptable risk are banned, including those that use real-time remote biometric identification, including facial recognition, in public spaces. The law, however, makes exceptions for law enforcement in specific circumstances, such as kidnappings and terrorism. Other banned applications include biometric categorization systems based on sensitive characteristics, emotion recognition in the workplace and schools, social scoring, predictive policing and applications that manipulate human behavior. The law also forbids untargeted scraping of facial images from the web or CCTV footage to create facial recognition databases.

Another novelty brought by the legislation is transparency requirements, including for deepfakes which will need to be clearly labeled as such.

To ensure smooth sailing, the AI Act will set up new institutions, The AI Office, attached to the European Commission, is tasked with coordinating its implementation among Member States and ensuring that classification rules and procedures are up to date of technological developments. Other agencies include the European Artificial Intelligence Board, the Advisory Forum and the Scientific Panel of Independent Experts.

The law also foresees AI regulatory sandboxes that would allow for the testing of AI systems in real-world conditions.

Article Topics

AI Act  |  artificial intelligence  |  biometrics  |  EU  |  facial recognition  |  legislation  |  remote biometrics