Ban Biometric Surveillance in Public - EU Action Needed

Calls Mount for Ban on Biometric Surveillance Within the EU

Further appeals have been made by EU bodies to prohibit biometric surveillance in public areas.

A jointly released opinion today from the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, urges that proposed EU regulations concerning artificial intelligence technologies be strengthened. Specifically, they advocate for a “general ban on any AI-driven automated recognition of human features in publicly accessible spaces.”

Scope of the Proposed Ban

This ban would encompass the recognition of faces, gait, fingerprints, DNA, voice, keystrokes, and other biometric or behavioral signals, regardless of the context.

The core argument centers on the potential for these technologies to inflict significant harm on the fundamental rights and freedoms of EU citizens, including their right to privacy and equal treatment under the law.

Roles of the EDPB and EDPS

The EDPB is tasked with ensuring consistent application of the EU’s privacy regulations.

Meanwhile, the EDPS oversees data protection compliance within EU institutions and offers legislative guidance to the commission.

Previous Concerns with AI Regulation Drafts

Initial drafts of EU legislation regulating AI applications included restrictions on law enforcement’s use of biometric surveillance. However, these restrictions were accompanied by extensive exemptions.

These broad exemptions drew substantial criticism from digital rights groups, civil society organizations, and numerous Members of the European Parliament (MEPs).

The EDPS previously called for a reassessment of the proposed regulations, and now, the EDPB has joined in voicing these concerns.

Detailed Concerns and Recommendations

The EDPB and EDPS have jointly outlined several concerns regarding the EU’s AI proposal. While acknowledging the “risk-based approach” adopted by EU lawmakers, they emphasize the need for careful alignment with the existing EU data protection framework to mitigate potential risks to individual rights.

International Law Enforcement Cooperation

They express concern over the exclusion of international law enforcement cooperation from the scope of the proposal.

Furthermore, they stress the importance of explicitly clarifying that current EU data protection legislation – including GDPR, the EUDPR, and the LED – applies to all personal data processing falling under the AI Regulation.

Categorization Based on Sensitive Characteristics

Beyond a ban on public biometric surveillance, the pair advocate for a complete prohibition on AI systems utilizing biometrics to categorize individuals based on ethnicity, gender, political affiliation, sexual orientation, or any other grounds prohibited by Article 21 of the Charter of Fundamental Rights.

This concern is particularly relevant given Google’s recent shift in adtech towards replacing individual behavioral targeting with cohort-based advertising, defined by AI algorithms.

Potential Legal Risks of FLoCs

Speculation arises regarding whether Google’s Federated Learning of Cohorts (FLoCs) poses a legal discrimination risk, depending on how users are grouped for ad targeting.

Concerns have been raised about FLoCs potentially amplifying bias and enabling predatory advertising. Notably, Google avoided initial testing in Europe, likely due to the EU’s stringent data protection regulations.

Further Recommendations: Emotion Recognition and Social Scoring

The EDPB and EDPS also recommend prohibiting the use of AI to infer a person’s emotional state, except in limited, specified cases like certain health applications where patient emotion recognition is crucial.

They also call for a prohibition on any form of AI-driven social scoring, echoing the commission’s draft proposal to prevent the implementation of a China-style social credit system within the region.

However, failing to prohibit biometric surveillance in public spaces could inadvertently lead to the development of similar tracking and profiling systems by private entities.

Enforcement Structure Concerns

The EDPB’s chair, Andrea Jelinek, and Wiewiórowski argue that data protection authorities within Member States should be designated as national supervisory authorities for the AI Regulation.

They point out that these authorities already enforce GDPR and the LED on AI systems involving personal data, and a unified approach would ensure consistent interpretation of data processing provisions across the EU.

Independence of the European Artificial Intelligence Board

They also express reservations about the commission’s plan to assume a dominant role in the planned European Artificial Intelligence Board (EAIB).

They argue this could compromise the board’s independence and advocate for greater autonomy, enabling it to act proactively.

Commission’s Response

A commission spokesperson clarified that GDPR already prohibits the use of remote biometric systems for identification purposes, except in limited circumstances.

Any permitted use must be based on EU or national law, be justified, proportionate, and include adequate safeguards, while also complying with the EU Charter of Fundamental Rights.

The spokesperson emphasized that the new regulation aims to complement existing data protection rules, not ban practices already prohibited with narrow exceptions.

Law Enforcement Exceptions

For law enforcement, the proposal seeks to ban real-time remote biometric identification in public spaces unless strictly necessary for specific, exhaustively listed purposes, such as locating missing children or addressing imminent threats to life.

The official highlighted the existence of “a number of beneficial applications outside the law enforcement field,” such as assisting visually impaired individuals, justifying a more nuanced approach.

Ongoing Digital Rulemaking in the EU

The AI Regulation is one of several digital proposals recently unveiled by EU lawmakers.

Negotiations between EU institutions and lobbying efforts from industry and civil society continue as the bloc works towards adopting new digital rules.

UK Information Commissioner’s Warning

In a related development, the U.K.’s information commissioner recently cautioned against the threats posed by big data surveillance systems utilizing technologies like live facial recognition.

While refraining from endorsing or banning the technology, her opinion suggests that many applications of biometric surveillance may be incompatible with the U.K.’s privacy and data protection framework.