by Samuel Stolton*
An EU Council report, reportedly circulated among 10 member states last November, details measures led by Austria to legislate for the building of a network of facial recognition databases that could be used and accessed by police forces across the bloc.
The documents, obtained by The Intercept, correspond to a series of reports which examine whether the Prum treaty, which contains rules for operational police cooperation between EU member states, should be expanded to include facial images.
Under the current regime, there are provisions in place that permit the sharing of DNA, fingerprint and vehicle registration databases between participating member states. The initiative had been originally put forward by German Interior Minister Wolfgang Schauble in 2005.
The expansion of the Prum treaty to cover facial recognition images was foreseen following Council conclusions in 2018, which invited member state experts as part of the Council’s Working Party on Information Exchange and Data Protection “to evaluate the Prum workflow for further developments with a view to possible new biometric technologies, e.g. face recognition systems.”
Reports suggest that in order to judge the feasibility of incorporating facial recognition technologies into the Prum agreement, the European Commission has contracted international consultancy Deloitte to conduct an assessment, to the sum of €700,000.
Artificial Intelligence White Paper
The leaked documents come at a time when the EU is wrestling with the question of whether facial recognition technologies should be regulated in the bloc or not.
Earlier this year, documents obtained by EURACTIV suggested that the European Commission had been mulling over a possible five-year moratorium on the technology as part of its White Paper on Artificial Intelligence – its roadmap for how the executive would look to mitigate future risks in the field.
However, these plans were shelved in the final version of the White Paper published last week, with the Commission instead opting for an “EU-wide debate on the use of remote biometric identification.”
The Commission had also highlighted the fact that under current EU data protection rules, the processing of biometric data for the cause of identifying individuals is prohibited, unless specific conditions with regards to national security or public interest are met.
Article 6 of the EU’s General Data Protection Regulation outlines the conditions under which personal data can be legally processed, one such requirement being that the data subject has given their explicit consent. Article 4 (14) of the legislation covers the processing of biometric data.
Despite this, in recent months, EU member states have been charting future plans in the field of facial recognition technologies.
Germany has outlined intentions to roll out automatic facial recognition at 134 railway stations and 14 airports, while France also has plans to establish a legal framework permitting video surveillance systems to be embedded with facial recognition technologies.
More broadly, the EU’s AI White paper highlighted a series of ‘high-risk’ technologies which could be in store for future oversight. Such technologies fall into two categories: those in ‘critical sectors’ and those deemed to be of ‘critical use.’
Those under the critical sectors remit include healthcare, transport, police, recruitment, and the legal system, while technologies of critical use include such technologies with a risk of death, damage or injury, or with legal ramifications.
Clearview AI
Elsewhere, the EU has taken a robust stance on the application of facial recognition elsewhere in the world.
Following the recent news that US technology firm Clearview AI has scraped more than three billion facial images from social media sites including YouTube, Facebook and Twitter, without obtaining users’ permission, the Commission had been in consultation with EU data protection authorities over whether the data of European citizens could have been at risk.
Clearview AI provides law enforcement agencies with a database that is able to match images of faces with over three billion other facial pictures scraped from social media sites.
“The Commission is aware of the press reports, we are following the dossier and remain in close contact with national data protection authorities and the European Data Protection Board,” a spokesperson from the EU executive told EURACTIV.
“These technologies don’t operate in a legal vacuum. The use of personal data falls under strict GDPR rules requiring well-defined legal basis and legitimate purposes, that the data subject is aware of the process and has means of redress and verification.”
Clearview AI is not a member of the 2016 EU-US Privacy Shield agreement, which obliges American companies to protect personal data belonging to EU citizens, according to EU standards and consumer rights.
*writer, EU affairs in the fields of digital policy and technology
**first published in: euractiv.com
By: N. Peter Kramer
