Remote Biometric Identification (RBI) and the EU Regulation
Remote Biometric Identification (RBI) is the use of Artificial Intelligence in publicly accessible spaces to recognize individuals using their biometric data, resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person, at a distance from a database. Although this technology is essential for law enforcement activities, it raises concerns about the violation of fundamental rights, including privacy, data protection, freedom of expression, and non-discrimination. Indeed, RBI is designed to scan individuals in a publicly accessible space, meaning that every person who passes through will have their biometric data scanned. After a proposal of the European Commission in April 2021 for an EU regulatory framework on the use of Artificial Intelligence, the EU institutions have worked on and discussed its provisions, which following trilogue negotiations are expected to be agreed on by December 6.
The AI ACT: limitations on the use of RBI
In addition to the notion of “RBI” and “biometric data”, the AI Act proposal introduces the concepts of “emotion recognition system” – used to identify emotions or intentions of people based on their biometric data -, and “biometric categorization” – used to assign people to specific categories such as sex, age, hair and eye color, tattoos, ethnic origin or sexual or political orientation. Moreover, it makes a distinction between “real-time” and “post” remote biometric identification systems. In the former. the capturing, comparison and identification of the biometric data all occur instantaneously, involving the use of “live” or “near live” tools, while, in the latter, the biometric data has already been captured and the comparison and identification occur only after a significant delay, involving material generated before the use of the system. Where AI systems for “real-time” remote biometric identification in publicly accessible spaces for law enforcement purposes are concerned, their use can affect the private life of individuals, causing a constant feeling of surveillance and directly impacting their fundamental rights. For these reasons, the European Commission proposes the prohibition of the use of these systems for law enforcement except in situations that involve the search for potential victims of crime, including missing children, certain threats to the life or physical safety of natural persons or of a terrorist attack, and the detection, localization, identification or prosecution of an offender or suspect of an offence punishable by a penalty or a maximum of at least three years, referred to in Council Framework Decision 2002/584/JHA38. It is also taken into consideration specific elements such as the nature of the situation, consequences for rights and freedoms, and specified safeguards. In addition, the AI Act mentions that each use of this system should require specific authorization from a judicial or independent administrative authority of a Member State, usually preceding the usage, unless justified by urgent circumstances, and depending on the national law.
The debate of EU institutions on the use of RBI systems
After the proposal of the European Commission, there have been debates and discussions around the topic of the use of RBI systems within the EU institutions. The European Parliament has adopted the strictest approach to the issue, and as agreed on in its mandate reached in June 2023, it suggested to expand the list of banned biometric AI systems and categorize some of them as high-risk. It also opted for a ban on the use of real-time RBI in public spaces for both private and public entities. Although an initial approach, the European Parliament is considering allowing restricted conditions for the use of real-time RBI technologies as part of a compromise in the AI Act negotiations. It reintroduced RBI in specific cases and in exchange the Parliament secured an extension of banned AI applications, including systems creating facial recognition databases and those inferring sensitive information.
The Council of the EU in its position, expanding on the exceptions initially suggested by the Commission for law enforcement, added entities operating on their behalf, extended the scope of biometric identification, and provided exceptions to transparency obligations for emotion recognition in specific situations. With its mandate, the Council has largely aligned with the Commission’s proposal, balancing law enforcement needs and fundamental rights, in contrast to the Parliament’s stricter approach.
In conclusion, the ongoing debates within the EU institutions on the use of Remote Biometric Identification (RBI) underlines the need to strike the right balance between the necessity of technological tools for law enforcement and the importance of protecting fundamental rights such as privacy and data protection. As the EU moves towards the finalization of the AI Act, the outcomes of these negotiations will shape the future landscape of RBI systems, influencing how they can be used while emphasizing the importance of the concepts of privacy, freedom of expression, data protection and non-discrimination.