Artificial Intelligence Act: a welcomed initiative, but ban on remote biometric identification in public space is necessary
The European Commission’s legislative proposal for an Artificial Intelligence Act is the first initiative, worldwide, that provides a legal framework for Artificial Intelligence (AI). The EDPS welcomes and supports the European Union’s (EU) leadership aiming to ensure that AI solutions are shaped according to the EU’s values and legal principles.
Wojciech Wiewiórowski, EDPS, said: “I am proud of this initiative and particularly welcome the horizontal approach in a Regulation, as well as the broad scope of its application which importantly includes the European Union institutions, bodies, offices and agencies (EUIs). The EDPS stands ready to fulfil its new role as the AI regulator for the EU public administration.
I also acknowledge the merits in the risk-based approach underpinning the proposal. Indeed, there are numerous Artificial Intelligence applications that present limited threat for the fundamental rights to data protection and privacy while giving the humanity a potentially powerful tool to fight against today’s problems.”
At the same time, the EDPS regrets to see that our earlier calls for a moratorium on the use of remote biometric identification systems - including facial recognition - in publicly accessible spaces have not been addressed by the Commission.
The EDPS will continue to advocate for a stricter approach to automated recognition in public spaces of human features - such as of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals - whether these are used in a commercial or administrative context, or for law enforcement purposes. A stricter approach is necessary given that remote biometric identification, where AI may contribute to unprecedented developments, presents extremely high risks of deep and non-democratic intrusion into individuals’ private lives.
The EDPS will undertake a meticulous and comprehensive analysis of the Commission’s proposal to support the EU co-legislators in strengthening the protection of individuals and society at large. In this context, the EDPS will focus in particular on setting precise boundaries for those tools and systems which may present risks for the fundamental rights to data protection and privacy.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.