The European Regulatory Frameworks for Facial Recognition. From the LED to the AI Act

ABSTRACT This chapter discusses the EU legal frameworks applicable to Facial Recognition Technologies (FRTs) deployed for law enforcement. It starts with a description of the concept of biometric data from a data protection perspective and presents the obligations linked to the processing of these data by law enforcement authorities for law enforcement purposes as resulting from the Law Enforcement Directive. Then, it delves into the new Artificial Intelligence Act (AI Act) rules on Remote Biometric Identification (RBI) systems, a generic category covering, among others, FRTs used for identification purposes. As a rule, the AI Act bans real-time RBI systems for law enforcement purposes in publicly accessible spaces, with three explicit exceptions, which must be implemented in national legislation to be used and comply with other rules. All other uses of the technologies, including the retrospective use of RBI systems for law enforcement purposes in publicly accessible spaces, fall in the category of high-risk systems. This chapter defines the terms of the discussion under the AI Act and explains the rules applicable to real-time and post RBI systems for law enforcement purposes.

KEYWORDS Facial Recognition - LED - AI Act - Remote Biometric Identification Systems - Law Enforcement

TABLE OF CONTENTS 1. Introduction. – 2. LED. – 2.1. Scope of application. – 2.2. Biometric data. – 2.2.1. Photographs, facial images, and biometric templates. – 2.3. Regime of sensitive data. – 2.4. Obligations linked to the processing of biometric data. – 2.4.1. Data Protection Impact Assessment (DPIA). – 2.4.2.Data Protection by Design and by Default. – 2.4.3. Other obligations. – 2.5. Experiments in various Member States. – 3. AI Act. – 3.1. Prohibition and exceptions. – 3.1.1. Lex specialis to Article 10 of the LED. – 3.1.2. Remote Biometric Identification (RBI) systems. – 3.1.3. Ban. – 3.1.3.1. Realtime versus post-event. – 3.1.3.2. Publicly accessible spaces. –3.1.3.3. Biometric data and biometric identification. – 3.1.3.4. Law enforcement. – 3.1.4. Exceptions. – 3.1.4.1 The three cases. – 3.1.4.1.1. The targeted search for the victims of three serious crimes and the search for missing persons. – 3.1.4.1.2. Prevention of Imminent Threats to Life or Terrorist Attacks. – 3.1.4.1.3. Localisation and identification of suspects and perpetrators of listed serious crimes. – 3.1.4.2. Conditions and safeguards. – 3.2. Retrospective use. – 3.2.1. Justifications. – 3.2.2. Rules. – 3.2.2.1. RBI systems as highrisk systems. – 3.2.2.2. Retrospective use of RBI for law enforcement. – 4. Conclusions