Norway’s data privacy watchdog seeks ban on remote biometric identification

Norway is exploring stronger regulations on AI – and a potential ban on biometric recognition technology for surveillance.

A translated statement from Datatilsynet, the Norwegian Data Protection Authority (DPA), offers recommendations on a new law submitted for consultation by the Ministry of Digitalisation and Public Administration.

Among the main recommendations are a demand for a national ban on what translates as “remote biometric identification” – defined here as tech that “aims to identify natural persons without their participation, usually at a distance, by comparing a person’s biometric data with the biometric data in a reference database.” (In other words, 1-n facial recognition, including live facial recognition.)

“The use of remote biometric identification constitutes a serious infringement of privacy and the right to privacy,” it says. As such, it calls for a general ban in Norway against the use of biometric recognition, regardless of purpose.

“These are measures that involve major interference with the right to privacy, cf. Article 8 of the European Convention on Human Rights (ECHR) and Section 102 of the Constitution, and which may also have consequences for other fundamental rights, such as freedom of expression and freedom of assembly.”

It notes that “the Ministry is assuming that such use is illegal today in any case. However, the Norwegian Data Protection Authority believes that borderline cases and situations of doubt may arise, and that this should therefore be included and specified in a prohibitory provision in law.”

Full adoption of the AI Act into national law

The DPA also calls for clearer frameworks on the implementation of the EU AI Act in Norwegian law, emphasizing that the entire regulation is implemented in Norwegian law to “ensure that the legal protection of Norwegian citizens is not weaker than for other citizens in the EU.”

The agency says it is “positive about taking on a role as a market surveillance authority,” as designated by the ministry, and believes it should be given “supervisory responsibility for the use of high-risk AI systems for law enforcement purposes.”

Alas, it says, this requires sufficient resources. Or – in a cruder translation – ante up to support protections.

But, keep your distance.

“We also emphasize the need for independence, both in its own role and in the case of a possible complaints body. We further point out that a complaints body must have sufficient expertise and that the market surveillance authorities must be able to bring legal proceedings in important cases.”

Additional recommendations seek clarification on questions of jurisdiction, fines and information sharing, and call for the establishment of “a list of public authorities that oversee fundamental rights.”

Article Topics

AI Act  |  biometric identification  |  biometrics  |  data protection  |  facial recognition  |  legislation  |  Norway  |  Norwegian Data Protection Authority (DPA)  |  real-time biometrics