In a supplement to the CoESS in-depth assessment of the EU AI Act, CoESS calls on negotiators in European Parliament to clearly distinguish in the legal text between biometric identification on the one, and biometric verification and authentication on the other hand. In CoESS opinion, the latter two should be excluded from the scope of the future EU Regulation on the use of high-risk Artificial Intelligence system, as they are already sufficiently governed by the EU General Data Protection Regulation (GDPR).
In the paper published today, CoESS stresses that the definition of “biometric identification systems” must clearly differentiate this high-risk technology from biometric verification and authentication systems.
The latter are already sufficiently regulated by the GDPR, come with a considerably lower risk, as they are based on data subject consent, and should hence be excluded from the scope of the EU AI Act. To this end, this paper recommends concrete amendments to the legal text to support the European Parliament in agreeing on a legally sound report for this highly important file.
Particularly biometric verification technologies can be of great added value for strengthened access control at sensitive locations, such as Critical Infrastructure or government facilities. For the purpose of verification, a comparison is made between an identified facial map, or other biometric data, and a database of identifying data to which a natural person has given consent - in full compliance with GDPR.
CoESS recommendation is in line with changes that feature in the current compromise agreements in European Council and addresses an important short-coming in the initial proposal of the European Commission.