Facing up to the future of AI: Facial Recognition Technology
Following the European Commission’s publication of its Proposal for a Regulation on Artificial Intelligence (the “AI Regulation”), policymakers and data protection regulators have questioned whether the AI Regulation goes far enough in protecting the rights and freedoms of European citizens, particularly in relation to the use of facial recognition technology in public spaces.
The European Commission Proposal for a Regulation on AI
On 21 April 2021 the European Commission published its long-awaited Proposal for a Regulation on Artificial Intelligence (see our previous briefing for an overview, here). The Commission proposal provides for a horizontal regulatory framework for AI and is the first initiative, worldwide, that provides a legal framework for regulating Artificial Intelligence. It will apply extraterritorially to any provider or distributor of AI whose services or products reach the EU market. Similar to the current draft of the Digital Services Act, the AI Regulation uses a risk-based approach and would impose a series of escalating legal and technical obligations depending on whether the AI product or service is classed as low, medium or high-risk, while a number of AI uses are banned outright. The AI Regulation would explicitly prohibit the use of remote biometric identification systems - including facial recognition - in publicly accessible spaces by law enforcement unless certain limited exceptions apply.
The AI Regulation envisages that the use of this type of remote biometric identification system for the purpose of law enforcement should be prohibited, save in three defined situations where the use is strictly necessary to achieve a substantial public interest, the importance of which is seen to outweigh the risks. Those situations involve the search for potential victims of crime, including missing children; certain threats to the life or physical safety of natural persons or of a terrorist attack; and the detection, localisation, identification or prosecution of perpetrators or suspects of criminal offences.
Has the AI Regulation gone far enough?
The AI Regulation has attracted criticism for not going far enough to protect the rights and freedoms of citizens. The European Data Protection Supervisor (“EDPS”) issued a press release in response to the draft regulation expressing regret that its calls for a moratorium on the use of remote biometric identification systems - including facial recognition - in publicly accessible spaces were not addressed by the Commission and emphasising that a stricter approach is necessary where AI “presents extremely high risks of deep and non-democratic intrusion into individuals’ private lives”.1
Following this, in June 2021 the EDPS and the European Data Protection Board (“EDPB”), which counts Ireland’s Data Protection Commission as a member, adopted a joint opinion2 on the AI Regulation. While the EDPB and the EDPS welcomed the risk-based approach underpinning the AI Regulation, they considered that the concept of “risk to fundamental rights” should be aligned with the EU data protection framework. Taking into account the high risks posed by remote biometric identification of individuals in publicly accessible spaces, the EDPB and the EDPS called for a general ban on any use of AI for the automated recognition of human features in publicly accessible spaces, such as recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context. The EDPB and EDPS also recommended a ban on AI systems using biometrics to categorize individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights. Furthermore, the EDPB and the EDPS consider that the use of AI to infer emotions should be prohibited, except for specified cases, such as certain health-related purposes where patient emotion recognition is important, and that the use of AI for any type of social scoring should be prohibited.
Facing up to Brexit: The UK Approach to Facial Recognition Technology
Interestingly, the UK has signalled a divergence of approach in relation to facial recognition technology. In June 2021, the Information Commissioner’s Office published an opinion in relation to the use of remote biometric identification technology, The use of live facial recognition technology in public places3, which allows for the use of live facial recognition by companies and public bodies, clarifying that a high threshold must be met before the technology is rolled out but nevertheless avoiding an outright prohibition. The guidance provides that for the use of facial recognition to be lawful, data controllers must identify a lawful basis to process special category data and criminal offence data where required. They must ensure that their processing is necessary and proportionate to their objectives and should consider the potential adverse impacts of using facial recognition for individuals and ensure they are justified.
In addition, the British government’s Taskforce on Innovation, Growth and Regulatory Reform published its report in June 2021 with recommendations to the Prime Minister on how the UK can reshape its approach to regulation post-Brexit. As part of this report, the Taskforce has proposed replacing the UK General Data Protection Regulation 2018 with a new Framework of Citizen Data Rights. The report makes specific reference to the reform of regulation around AI and recommends removing Article 22 of the GDPR, which sets out a general prohibition (and the exceptions) on fully automated decision-making.
As the use of facial recognition technology develops, so do the risks. Clearly, the use of remote biometric identification of individuals in publicly accessible spaces poses a high-risk of intrusion into individuals’ private lives and the potential privacy and civil liberties concerns in relation to the technology are obvious. Ireland has already seen public controversy following the Department of Social Protection’s confirmation that it carries out biometric processing and uses facial recognition technologies as part of its public services card programme and a related investigation by the Data Protection Commission. The controversy raises issues as to whether a potential reduction in welfare fraud, put forward as the basis for the processing, justifies intrusion into fundamental rights associated with the creation of a national biometric facial recognition database. It remains to be seen whether the incoming AI Regulation will be stringent enough to protect citizens from an era of surveillance reminiscent of Foucault’s vision of ‘compulsory visibility’.
Also contributed by Emily Cunningham.
- EDPS, Artificial Intelligence Act: a welcomed initiative, but ban on remote biometric identification in public space is necessary (23 April 2021).
- EDPB-EDPS, Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) (18 June 2021).
- Information Commissioner’s Office, Information Commissioner’s Opinion: The use of live facial recognition technology in public places (18 June 2021).
- Rt Hon Sir Iain Duncan Smith & Ors, Taskforce on Innovation, Growth and Regulatory Reform independent report (16 June 2021).
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.