Two of the European Union’s leading independent data protection watchdogs, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), are jointly calling for a widespread ban on the use of AI-driven biometric identification in public places. More than just a facial recognition ban, the proposal calls for automated systems recognizing “gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals” to be kept out of all of the EU’s publicly accessible spaces.
The declaration follows the European Commission’s proposal for a harmonized EU policy on the applications of artificial intelligence. This proposal was released to the public in late April and laid out provisions for the handling of “high risk” AI systems to include data governance and human oversight requirements.
Proposal includes facial recognition ban in all EU public spaces, no identity-based categorization systems
The EDPB and EDPS joint opinion was welcoming of the many applications of AI within the EU, but expressed the desire to see it removed from most public spaces and for it to not be used to automatically group people based on intrinsic or perceived characteristics.
The call for a facial recognition ban incorporates nearly all imaginable biometrics in all possible contexts, differentiating from other calls to simply limit law enforcement access to this sort of data. The ban on characteristics would encompass AI systems that attempt to automatically recognize and sort by factors such as ethnicity, gender, political or sexual orientation; any personal category that is protected by the discrimination laws laid out in Article 21 of the Charter of Fundamental Rights.
The EDPB and EDPS also called for an almost complete ban on AI systems that “infer emotions of a natural person,” calling them “highly undesirable.” The exceptions would be for specific health purposes, such as cases where a medical patient is incapable of articulating their mental state adequately.
The joint opinion also briefly mentioned a prohibition on “social scoring,” such as the infamous “social credit system” being developed in China.
The privacy watchdogs are seeking an overall approach that calculates risk to fundamental human rights in the application of any AI systems and analyzes the possibility of harm to specific social groups. In addition to the various prohibitions already named, the groups want to see compliance with legal obligations arising from Union legislation as a precondition for any businesses looking to bring a product of this sort to the EU market, and want to see a distinction drawn between classification of an AI system as “high risk” and an automatic presumption of legality on that basis.
Under the current EU Commission proposal, the EDPS would become the competent authority and market surveillance authority for the supervision of EU organizations. However, the full scope of its duties and powers have yet to be established. Another aspect that is still being worked out is how supervision and enforcement would be handled at the level of individual nations; the joint opinion proposes that the existing data protection authorities (DPAs) expand their scope to become “national supervisory authorities” for the purpose of AI oversight. The privacy watchdogs want to see the European Artificial Intelligence Board (EAIB) invested with autonomous power to take initiative in these cases that emerge at the national level.
The EU has historically been privacy-conscious, and the proposed facial recognition ban goes farther than what many other nations have shown a willingness to do. For example, it would forbid the use of biometric AI systems in stadiums and at concerts. It would also presumably forbid the addition of this type of software to the sprawling CCTV camera systems already in place in numerous cities.
Though the EDPB and EDPS do not have any direct input into the actual language and terms of whatever facial recognition ban might emerge from this, they are highest-level advisory groups to EU lawmakers on the subject of privacy issues. Their opinions generally factor heavily into the eventual terms worked out by the Commission, the Council of the EU and the European Parliament.
Facial recognition complaints from privacy advocates
The proposed facial recognition ban (and attached components) follows complaints from independent EU privacy advocates (most notably the European Digital Rights (EDRi) advocacy network) that the original Commission proposal did little to curb use of AI for mass surveillance purposes. Lobbying groups for the other side of the issue, most notably the U.S. Information Technology Industry Council (which represents big tech behemoths such as Facebook and Google), have mostly issued cautious statements about working with the EU’s high-ranking privacy watchdogs on the facial recognition ban but have also done some mild grumbling about “red tape” holding up development.
An interesting consideration raised by TechCrunch is that Google’s plan to create user cohorts (“FLoCs”) as an alternative to tracking cookies might fall afoul of these new rules if they are adopted as such, if they were to use characteristics that are covered by the Article 21 discrimination rules.