Artificial Intelligence Update
4 min to read

Artificial Intelligence Update

12 July 2021

Data protection watchdogs call for a ban on automated facial recognition in AI Act.

The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) recently released a Joint Opinion on the European Commission proposal for a Regulation laying down harmonised rules on artificial intelligence (“AI Act”).

While the Opinion is not binding on the Commission, the EDPS and EDPB are directly responsible for the enforcement of EU and national Data Protection rules. So, their views are likely to be influential with the European institutions.

If the Opinion generally welcomes the Commission’s efforts to regulate AI and the risk-based approach chosen, it also identifies several aspects of the proposed AI Act that should be adapted and fine-tuned, especially when it comes to its interactions with the EU data protection framework.

Firstly, the Opinion calls for a general ban on “any use of AI for automated recognition of human features in publicly accessible places in any context”. According to the European Data Protection Supervisor, Wojciech Wiewiórowski, such a ban would constitute “the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI”. To recall, the AI Act does not contain an outright ban in this respect, instead introducing a list of exceptional cases in which “real-time” remote biometric identification in public spaces is allowed on law enforcement grounds.

The EDPS and EDPB consider the Commission’s approach as going against the proportionality principle. It would require a considerable amount of data to be processed to identify only a few individuals. Moreover, such a process would have irreversible effects on citizens’ freedom of movement, expression, assembly and association.

In the view of EDPS and EDPB, a ban is also necessary for “AI systems categorising individuals from biometrics into clusters according to ethnicity, gender, political or sexual orientation or other grounds for discrimination” that are prohibited under the EU Charter of Human Rights. According to the EU data protection watchdogs, the so-called “biometric categorisation” foreseen in the AI Act risks affecting human dignity, as individuals’ future behaviour will not be assessed according to their own freewill but merely classified by a computer.

In terms of governance, the Opinion stresses the need to clearly set forth the independent nature of the authorities tasked with supervising and enforcing the AI Act. In this regard, the EDPS and EDPB call for more autonomy to be given to the European Artificial Intelligence Board (EAIB). According to the current draft of the Commission AI proposal, a prominent role in the EAIB will be played by the Commission itself. The EDPS and EDPB take the view that this may undermine the new board’s independence, especially with respect to external political influences. Instead, the Board should be allowed to act on its own initiative.

To ensure more harmonisation within the EU legislative framework and better coordination between the AI Act and the EU data protection rulebook, the Opinion suggests designating the national Data Protection Authorities (DPAs) as the responsible bodies under Article 59 of the AI Proposal. National DPAs are already responsible for enforcing the EU data protection provisions on AI systems based on the processing of personal data. The Opinion suggests that this governance regime would benefit all the actors involved in the AI value chain, as they will have a single point of contact for all data processing operations and disputes.

Lastly, the Opinion addresses the certification of AI systems, which is deemed to lack a clear relationship with EU data protection rules. It states that the current system outlined in the draft AI Proposal should be better aligned with data protection certifications, seals and marks set forth under the General Data Protection Regulation. Failure to do so may create a risk of placing products on the EU market which are validly certified under the AI Act yet are not compliant with the rules and principles of data protection. In particular, the Opinion suggests that the principles of data minimisation and data protection by design should be taken into account while issuing certification under the AI Act.

The EDPB and EDPS Opinion highlights once again the complex issues raised by the Commission’s AI Proposal and the potential for tensions with existing EU law, confirming that the proposal will still be subject to significant negotiations before being passed into law.

Written by
Chiara Horgan
View profile
Related articles
Smart Contracts – Recognising and Addressing the Risks
4 min to read
29 December 2021
Smart Contracts – Recognising and Addressing the Risks
Smart contracts, where some or all of the contractual obligations are defined in and/or performed automatically by a computer program, are expected to have a significant impact on the way business is...
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Cybersecurity: Council adopts its position on the NIS2 Directive
8 min to read
21 December 2021
Cybersecurity: Council adopts its position on the NIS2 Directive
On 3 December, the Council agreed on its position on the proposal for a Directive on measures for high common level of cybersecurity across the Union (the “NIS2 Directive”)....
The EU’s Digital Services Package a global benchmark – a closer look at the Digital Markets Act.
27 min to read
17 December 2021
The EU’s Digital Services Package a global benchmark – a closer look at the Digital Markets Act.
On 15 December 2020, the European Commission published proposals for two regulations to regulate digital services, the Digital Services Act and the Digital Markets Act. According to the Commission's...
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.