EU AI Act: new Era for Biometrics

Background: case study for a Security and Biometric Systems Company 

A leading company in security and biometric systems faced significant challenges with the adoption of the EU Artificial Intelligence Act. They needed to understand and navigate the stringent regulations, especially those impacting biometric technologies.

📅 Key Timelines:
June July -2024: Formal adoption.
Mid-2026: Enforcement begins.
6 Months Post-Adoption - End 2024: Prohibition of unacceptable risk AI practices.
 

Critical Insights:

Prohibited Practices:
- Biometric categorization systems.
- Emotion recognition systems.
- AI expanding facial recognition databases via untargeted data scraping or CCTV footage.
- Real-time remote biometric identification in public spaces for law enforcement, except in exhaustively listed and narrowly defined situations 

High-Risk Systems: 
- Systems that biometrically categorize individuals according to sensitive attributes and characteristic
- Emotion recognition systems (which are not prohibited)
- AI using remote biometric identification systems that are automated recognition of physical, physiological and behavioral human features for the purpose of establishing an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a reference database, irrespective of whether the individual has given its consent or not. This excludes AI used solely to provide access to a service, unlock a device or gain access to a restricted premise

These will face stringent requirements, including:
- Risk Management
- Data Governance
- Technical Documentation
- Human Oversight
- Accuracy and Robustness



 

Strategy and Implementation:

We discussed the proactive steps to align with the EU AI Act that the company can take:

➡ Inventory of Current Systems: Conducted a thorough inventory of existing biometric systems and GPAI Models (that have their own set of obligations).

➡ Evaluate AI Act Applicability: for each system, evaluate applicability and impact assessments to identify potential prohibited systems and areas needing compliance and how operations and organization might be impacted.

➡ Compliance Programs: conduct a detailed compliance gap analysis and formulate a concrete action plan to ensure adherence to new high-risk system requirements.

➡ Training and Documentation: Provided extensive training to staff and developed comprehensive documentation to meet transparency and risk management requirements.

By addressing these challenges head-on, the company not only ensured compliance but also positioned itself as a leader in ethical AI practices within the security and biometrics industry.