On 8 September 2021, the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs published a briefing about the report that considered the ethical issues surrounding use of biometric recognition and behavioural detection techniques in public spaces. The full report was prepared on request of two committees of the European Parliament and published in August 2021.
The report explores the deeply personal nature of behavioural data such as a person’s walk, voice, or gestures and provides recommendations for further regulation of biometric data to safeguard individuals against misuse of such data. The report also considers large-scale surveillance, algorithmic decision making, and profiling.
After detailed analysis of various types of biometric techniques, the report considered how these techniques are addressed by the recent proposal for an Artificial Intelligence Act (EU Regulation on Artificial Intelligence or AI Regulation) of 21 April 2021, as well as by other legislative instruments (such as the proposed Data Governance Act), and whether this legislation addresses the ethical and fundamental rights issues in a comprehensive way.
The report supports the general approach to regulation of these technologies in the AI Regulation but notes that the proposal does not address the ethical concerns consistently. In view of this, the report recommends that the European Parliament and EU legislators consider a number of amendments (such as including specific provisions that would ensure responsible use of certain restricted AI practices, such as biometric techniques and inferences).
The key recommendations for legislators include the following:
- introduce a definition for ‘biometric inferences’ and ‘biometric-based data’ and detach the definitions of ‘emotion recognition system’ and ‘biometric categorisation system’ from the concept of ‘biometric data’ as defined in the GDPR;
- total or comprehensive surveillance of natural persons in their private or work life and of infringements of mental privacy and integrity should be included in the list of prohibited AI practices in Article 5(1) AI Regulation. The list of prohibited AI practices should be reviewed and updated by the European Commission periodically, potentially under the supervision of the European Parliament;
- introduce a new section on restricted AI applications, to address in detail: (i) ‘real-time’ remote biometric identification (and possibly other forms of real-time remote identification), including among other things, for law enforcement purposes, (ii) other biometric identification systems, emotion recognition systems and biometric categorisation systems, while limiting the admissibility of such systems and integrating the transparency obligations on operators of biometric systems; (iii) a new provision on decisions based on biometric techniques; and (iv) potential substantive limits to the drawing of biometric inferences;
- consider introducing new provisions on automated consent management in the GDPR or in the AI Regulation for situations where the use of biometric techniques is based on user’s consent. Automated consent management should enable the individuals to effectively manage consent and to use independent tools or service providers for consent management (such as data sharing service providers within the meaning of the Data Governance Act). Systems must be designed in a way that ensures automated transmission of consent (or its withdrawal) to all recipients of biometrics-based data and to allow automated erasure or other actions on the part of those recipients.
The full report also includes a section with proposed wording to amend the AI Regulation.
The briefing is available here and the full report is available here.