Insights

Regulation Revolution – AI Regulation in the EU and UK - Part III: AI in facial recognition technology, a case study of EU and UK approaches to AI use

8/07/2024

In this series on the regulation of AI, we have considered the nature of the obligations to be imposed by the AI Act and the potential impact of the approaches being adopted by the EU and the UK respectively. Using the example of facial recognition technology, this final article highlights the stark differences between the EU and UK regimes, and the potential benefits and drawbacks of each. 

Facial Recognition Technology in the EU 

As is typical of the EU's approach to AI, the AI Act includes strict controls around AI used to gather biometric data. Indeed, Article 5(e) of the AI Act prohibits the indiscriminate and untargeted scraping of biometric data (including from social media). 

Article 5(h) further prohibits against the use of remote biometric identification systems (for example, facial recognition software) in publicly accessible spaces for the purposes of law enforcement, save where it is used to achieve one of the following:

  1. the targeted search for specific victims of certain crimes (including abduction and human trafficking victims); 
  2. the prevention of specific, substantial and imminent threats to life or physical safety of natural persons, or prevention of genuine and foreseeable terrorist attacks; or
  3. the localisation or identification of a person suspected of committing a criminal offence, for the purpose of conducting criminal investigations or prosecutions, or executing a criminal penalty for certain, profoundly serious offences (such as terrorism, human trafficking, sexual exploitation of children, murder, and drug trafficking).

Even where these objectives are engaged, the AI Act will require a risk assessment be carried out whenever facial recognition technology is considered. The aims of using the software must be carefully reviewed against the objectives listed above, along with consideration of potential wider harms caused to, and consequences for, the fundamental rights and freedoms of non-targeted individuals. The EU regime will further require all facial recognition systems to be registered in an EU database.

Articles 5(e) and 5(h), working in conjunction, introduce a complete prohibition on private entities from untargeted gathering of biometric data and then using that data for remote identification purposes in public spaces, and greatly restricts the same ability for the purposes of law enforcement. There is under the AI Act, and in comparison with the EU GDPR, no legitimate purpose exemption for the gathering of such data. 

The UK approach

By way of contrast, there are no similar general prohibitions in the UK. It is worth referring in this context  to two recent real-world events that helpfully highlight this issue:

Facial recognition and Facewatch - 2023

There has been a somewhat disjointed approach to the use of facial recognition technology in the UK to date. Its use is to be governed by existing data protection, equality and human rights laws. In September 2019, judicial review proceedings were brought against the South Wales Police for use of facial recognition technology in breach of Article 8 of the ECHR (the right to respect for private and family life). The claim failed at first instance but, on appeal, the technology was found to have infringed upon the claimant's Article 8 right and, furthermore, the police were found to have failed to comply with data protection risk assessment requirements under the Data Protection Act 2018. 

In 2021 the ICO published guidance on the use of facial recognition technology in public places. This provided a list of key requirements for data controllers in the context of compliance with existing data protection rules. 

Subsequently, in a blog post in March 2023, the ICO reported on an investigation it had conducted into the use of facial recognition software by a private firm “Facewatch”. This software was utilised in retail spaces to identify "subjects of interest" through real time face scanning and identify potential criminal offenders. 

The ICO concluded that the use of facial recognition software in this instance was legitimate and in compliance with data protection requirements. 

Facebook and data scraping – 2024

Very recently, Meta announced it would allow its new AI tool – Meta AI – to use photos and posts for the purposes of training. Users in the EU and UK have been given the opportunity to "opt out" of this and prevent Meta AI using their data, others across the world in less data regulated regimes (including the U.S) are not able to opt-out. This has caused uproar, particularly amongst creatives, who frequently post on Facebook and Instagram, over concerns that their original work will be misused as a consequence. 

Under the EU and UK GDPR, private entities are allowed to use personal data for legitimate purposes, and Meta is relying on this exemption. However, the AI Act at least restricts the use of biometric data which offers an additional degree of protection to those in the EU, whereas the UK does not. We will have to wait and see what happens next, as the AI Act's prohibitions are not yet in effect.

Conclusion

The AI Act puts in place broad protections against AI risks, these examples showcase its effect: placing individual rights and freedoms ahead of corporate interests and wider social security, by imposing tough restrictions on the use of AI tools. The UK has no such restrictions, protection of individual rights in the context of AI risks will only be achieved through existing regulations. This poses a risk to individual rights and freedoms, though potentially a boon for law enforcement and commercial users of AI tools. 

AI suppliers in the UK might rejoice at the lighter touch regime, for now, but it is clear there are stark differences between the EU and UK, and we certainly haven't seen the last of AI regulation. 

Critically and in the UK, we await further regulatory guidance and the detail of those next steps which the UK's freshly minted Labour government intends to take in this field, following the mandate secured in last week's general election. 

Click below to read part one and two of this series. 

Regulation Revolution – AI Regulation in the EU and UK - Part I: An overview of the AI Act and its wider impact

Regulation Revolution – AI Regulation in the EU and UK - Part II: Pro-innovation vs Pro-risk management: Comparing the EU and UK approach

featured image