Artificial Intelligence Update
4 min to read

Artificial Intelligence Update

12 July 2021

Data protection watchdogs call for a ban on automated facial recognition in AI Act.

The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) recently released a Joint Opinion on the European Commission proposal for a Regulation laying down harmonised rules on artificial intelligence (“AI Act”).

While the Opinion is not binding on the Commission, the EDPS and EDPB are directly responsible for the enforcement of EU and national Data Protection rules. So, their views are likely to be influential with the European institutions.

If the Opinion generally welcomes the Commission’s efforts to regulate AI and the risk-based approach chosen, it also identifies several aspects of the proposed AI Act that should be adapted and fine-tuned, especially when it comes to its interactions with the EU data protection framework.

Firstly, the Opinion calls for a general ban on “any use of AI for automated recognition of human features in publicly accessible places in any context”. According to the European Data Protection Supervisor, Wojciech Wiewiórowski, such a ban would constitute “the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI”. To recall, the AI Act does not contain an outright ban in this respect, instead introducing a list of exceptional cases in which “real-time” remote biometric identification in public spaces is allowed on law enforcement grounds.

The EDPS and EDPB consider the Commission’s approach as going against the proportionality principle. It would require a considerable amount of data to be processed to identify only a few individuals. Moreover, such a process would have irreversible effects on citizens’ freedom of movement, expression, assembly and association.

In the view of EDPS and EDPB, a ban is also necessary for “AI systems categorising individuals from biometrics into clusters according to ethnicity, gender, political or sexual orientation or other grounds for discrimination” that are prohibited under the EU Charter of Human Rights. According to the EU data protection watchdogs, the so-called “biometric categorisation” foreseen in the AI Act risks affecting human dignity, as individuals’ future behaviour will not be assessed according to their own freewill but merely classified by a computer.

In terms of governance, the Opinion stresses the need to clearly set forth the independent nature of the authorities tasked with supervising and enforcing the AI Act. In this regard, the EDPS and EDPB call for more autonomy to be given to the European Artificial Intelligence Board (EAIB). According to the current draft of the Commission AI proposal, a prominent role in the EAIB will be played by the Commission itself. The EDPS and EDPB take the view that this may undermine the new board’s independence, especially with respect to external political influences. Instead, the Board should be allowed to act on its own initiative.

To ensure more harmonisation within the EU legislative framework and better coordination between the AI Act and the EU data protection rulebook, the Opinion suggests designating the national Data Protection Authorities (DPAs) as the responsible bodies under Article 59 of the AI Proposal. National DPAs are already responsible for enforcing the EU data protection provisions on AI systems based on the processing of personal data. The Opinion suggests that this governance regime would benefit all the actors involved in the AI value chain, as they will have a single point of contact for all data processing operations and disputes.

Lastly, the Opinion addresses the certification of AI systems, which is deemed to lack a clear relationship with EU data protection rules. It states that the current system outlined in the draft AI Proposal should be better aligned with data protection certifications, seals and marks set forth under the General Data Protection Regulation. Failure to do so may create a risk of placing products on the EU market which are validly certified under the AI Act yet are not compliant with the rules and principles of data protection. In particular, the Opinion suggests that the principles of data minimisation and data protection by design should be taken into account while issuing certification under the AI Act.

The EDPB and EDPS Opinion highlights once again the complex issues raised by the Commission’s AI Proposal and the potential for tensions with existing EU law, confirming that the proposal will still be subject to significant negotiations before being passed into law.

Written by
Chiara Horgan
View profile
Related articles
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
While some saw the development of products using blockchain technology leading to the demise of disputes, the reality is that disputes in the arena of digital technology are increasing in number. Lawtech’s...
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
The UK as a global AI superpower
4 min to read
27 October 2021
The UK as a global AI superpower
On 22 September 2021, during the third day of London Tech Week, the UK Department for Digital, Culture, Media & Sport published its first National AI Strategy, detailing its 10-year plan to position...
Member States reach a common position on data governance
3 min to read
18 October 2021
Member States reach a common position on data governance
A first initiative in the EU data strategy to capture the enormous potential of ‘Big Data’ appears to be nearing completion. On 1 October, EU Member States agreed on a common position with respect to...
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.