Data protection watchdogs call for a ban on automated facial recognition in AI Act.
The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) recently released a Joint Opinion on the European Commission proposal for a Regulation laying down harmonised rules on artificial intelligence (“AI Act”).
While the Opinion is not binding on the Commission, the EDPS and EDPB are directly responsible for the enforcement of EU and national Data Protection rules. So, their views are likely to be influential with the European institutions.
If the Opinion generally welcomes the Commission’s efforts to regulate AI and the risk-based approach chosen, it also identifies several aspects of the proposed AI Act that should be adapted and fine-tuned, especially when it comes to its interactions with the EU data protection framework.
Firstly, the Opinion calls for a general ban on “any use of AI for automated recognition of human features in publicly accessible places in any context”. According to the European Data Protection Supervisor, Wojciech Wiewiórowski, such a ban would constitute “the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI”. To recall, the AI Act does not contain an outright ban in this respect, instead introducing a list of exceptional cases in which “real-time” remote biometric identification in public spaces is allowed on law enforcement grounds.
The EDPS and EDPB consider the Commission’s approach as going against the proportionality principle. It would require a considerable amount of data to be processed to identify only a few individuals. Moreover, such a process would have irreversible effects on citizens’ freedom of movement, expression, assembly and association.
In the view of EDPS and EDPB, a ban is also necessary for “AI systems categorising individuals from biometrics into clusters according to ethnicity, gender, political or sexual orientation or other grounds for discrimination” that are prohibited under the EU Charter of Human Rights. According to the EU data protection watchdogs, the so-called “biometric categorisation” foreseen in the AI Act risks affecting human dignity, as individuals’ future behaviour will not be assessed according to their own freewill but merely classified by a computer.
In terms of governance, the Opinion stresses the need to clearly set forth the independent nature of the authorities tasked with supervising and enforcing the AI Act. In this regard, the EDPS and EDPB call for more autonomy to be given to the European Artificial Intelligence Board (EAIB). According to the current draft of the Commission AI proposal, a prominent role in the EAIB will be played by the Commission itself. The EDPS and EDPB take the view that this may undermine the new board’s independence, especially with respect to external political influences. Instead, the Board should be allowed to act on its own initiative.
To ensure more harmonisation within the EU legislative framework and better coordination between the AI Act and the EU data protection rulebook, the Opinion suggests designating the national Data Protection Authorities (DPAs) as the responsible bodies under Article 59 of the AI Proposal. National DPAs are already responsible for enforcing the EU data protection provisions on AI systems based on the processing of personal data. The Opinion suggests that this governance regime would benefit all the actors involved in the AI value chain, as they will have a single point of contact for all data processing operations and disputes.
Lastly, the Opinion addresses the certification of AI systems, which is deemed to lack a clear relationship with EU data protection rules. It states that the current system outlined in the draft AI Proposal should be better aligned with data protection certifications, seals and marks set forth under the General Data Protection Regulation. Failure to do so may create a risk of placing products on the EU market which are validly certified under the AI Act yet are not compliant with the rules and principles of data protection. In particular, the Opinion suggests that the principles of data minimisation and data protection by design should be taken into account while issuing certification under the AI Act.
The EDPB and EDPS Opinion highlights once again the complex issues raised by the Commission’s AI Proposal and the potential for tensions with existing EU law, confirming that the proposal will still be subject to significant negotiations before being passed into law.