Introduction[1]
Facial recognition technologies (FRTs) are biometric systems widely used in the EU context. These algorithmic technologies provide a very intrusive surveillance power and it is not surprising that the debate around them has been fuelled by discussion of the AI Act proposal, which includes the definition of prohibited uses of AI systems. However, there is one specific application of FRTs that does not seem to receive sufficient attention, not even in the proposal, namely the integration of FRTs into the EU’s information systems, which are currently being upgraded. This huge infrastructure, if built, would make these technologies even more pervasive and intrusive than they already are.
Facing function creep
FRTs are versatile because they can be used for many purposes and in many contexts. One of the most widespread applications is at airports, where these technologies are deployed with the aim of saving time, making controls more efficient and increasing security.[2] However, a project is underway to make the use of these technologies even more systematic and not only related to smart border controls.
This is the case for EU information systems, which are large-scale IT systems structured in centralised databases managed by the EU and networks linking EU institutions and bodies with the Member States. Each IT system was initially designed and implemented for very different purposes, but over time they have undergone function creep, i.e. an expansion of their scope and functions that has caused them to overlap, broadening – or distorting – their original mission.[3] The effect of function creep has been twofold: on the one hand, it has led to an increase in the amount of data collected and shared by these systems, particularly biometric data such as biometric templates extracted from facial images;[4] on the other hand, it has benefited law enforcement authorities (LEAs), who are able to use them for public security purposes.[5]
This is what has happened with the Schengen Information System (SIS), which was created to enable an exchange of information in order to strengthen both the Union’s external border controls and public security within the EU. In 2018 the SIS was modified through three regulations, with the aim of extending it to police and judicial cooperation in criminal matters (e.g. for surrender and extradition purposes, or inquiries), border checks (e.g. refusing entry into and denying permission to stay in the territory), and the return of illegally staying third-country nationals (e.g. granting or extending a residence permit or long-stay visa).
Similarly, the European Asylum Dactyloscopy Database (Eurodac) was created to collect the digitised fingerprints of asylum seekers and irregular migrants for the purpose of determining the State responsible for examining applications for international protection. The amendments proposed in 2016 aim to use the system also to fight illegal immigration and the secondary movements of third-country nationals.
Then there is the Visa Information System (VIS), created by Regulation (EC) No 767/2008 and aimed at facilitating border checks in the case of short-stay visas to the Schengen Area. Under a proposal presented in 2018, VIS would also be extended for the purpose of preventing threats to internal security, covering children up to the age of six and, for the first time, holders of long-stay visas and residence permits.
Finally, we must consider the Entry/Exit System (EES), established by Regulation (EU) 2017/2226 but currently still under development, as a system that will electronically register the entry and exit of third-country nationals, with a view to replacing passport stamping. The EES could be used as a generalised means of identifying anonymous suspects, perpetrators or victims of crimes, but also as an intelligence tool to reconstruct the history of travellers suspected of crimes.
All these systems will ultimately have to be made interoperable thanks to the ‘twin’ regulations adopted in 2019, the first on borders and visas and the second on police and judicial cooperation, asylum and migration.[6] With the full implementation of these regulations, which will take place in the next few years, LEAs will be able to use a European search portal (ESP), which will allow them to query all the EU information systems mentioned in parallel, albeit always in accordance with the purposes and limits set by the rules of each information system. The Biometric Matching Service (BMS) will also make it possible to conduct biometric queries and make cross-references between the templates contained in the various interoperable systems without the need for separate searches. A relevant innovation is also the creation of a Common Identity Repository (CIR), namely a common database containing personal data from the VIS, Eurodac and EES,[7] in which individual files containing the alphanumeric and biometric data of non-EU persons are created and stored. In the future, facial images of people who have not necessarily committed a crime, but have simply applied for a visa or crossed a Schengen border, could be used as a reference to identify criminals or for intelligence purposes.
The (missing) novelties in the AI Act
This huge infrastructure, and the very complex regulation behind it,[8] is expected to coexist with the AI Act when it comes into force. But coexistence will not be easy. Art. 83 of the proposal and Annex IX of the AI Act establish that the new Regulation “shall not apply to the AI systems which are components of the large-scale IT systems” placed on the market or put into service before a certain period of time after the entry into force of the Regulation. The requirements laid down in the AI Act will only “be taken into account” in the evaluation of each large-scale IT system. In practice, as also noted by many NGOs,[9] the forthcoming implementation of the interoperable infrastructure will not be subject to the AI Act. The complexity of the rules is thus bound to increase.
On the one hand, there will be rules on the use of FRTs by LEAs under the AI Act. According to the General Approach of the Council, adopted in November 2022, the use of “real-time” remote biometric identification in publicly accessible spaces for law enforcement purposes will be prohibited, with the large exceptions provided for in Art. 5.[10] Other uses, such as “ex post” recognition – where the biometric data have already been captured, and the comparison and identification occur not instantaneously but only “after a significant delay” (Recital 8 AI Act) – will be allowed and considered “high risk” (Art. 6(3) and Annex III AI Act). However, considering that the discussion on the AI Act is still ongoing, some changes may still occur. The text adopted by the European Parliament in June 2023 is quite clearly in favour of extending tout court the ban on ‘real-time’ use of FRTs in publicly accessible spaces, but also of prohibiting ‘post’ remote biometric identification systems, unless there is “a pre-judicial authorisation” in accordance with law and it is “strictly necessary” for the “targeted search connected to a specific serious criminal offense that already took place”.
On the other hand, there are different rules allowing LEAs to use FRTs to identify persons under the conditions defined by the Interoperability Regulations. Once the CIR is operational, it could be used for identification purposes in a number of cases where the identification of people is complicated (Art. 20(1) Interoperability Regulations). In this respect, the Regulations leave it up to national law to determine the precise procedures, conditions and criteria of such checks. (Art. 20(5) Interoperability Regulations). Moreover, identification will be allowed when “there are reasonable grounds to believe that consultation of EU information systems will contribute to the prevention, detection or investigation of terrorist offences or other serious criminal offences”, in particular where there is a suspicion that data are stored in Eurodac (Art. 22(1) Interoperability Regulations). As a result, facial images collected in the various IT systems, for all the different purposes mentioned above, may be used for “ex post” identification of individuals if the above conditions are met, so there is a partial overlap with the scenario envisaged by the rules of the AI Act.
In this sense, there are different conditions for using FRTs. But there are also other relevant implications for the rules and governance criteria that apply. According to the AI Act, “high risk” systems will be subject to an internal “conformity assessment” carried out by providers in order to demonstrate compliance with all the obligations set out in the AI Act and to be able to affix the CE mark (Arts. 19 and 43 AI Act). According to the Interoperability Regulations, by contrast, no internal conformity assessment or CE marking will be required, but there will be a more direct engagement of public authorities, such as the national authorities of Member States and, above all, the eu-Lisa Agency, both during the design and development phase and following the entry into operation (Arts. 54 and 55 Interoperability Regulations). These are very different situations, with significant consequences in terms of the responsibility for controls, the actual quality of the systems and, therefore, the protection of fundamental rights.
Conclusions
A way has to be found to put together a coherent regulatory framework and to coordinate these different pieces of legislation. When we talk about FRTs and interoperability, we are dealing with systems capable of gaining in-depth knowledge about people’s identities, habits and behaviours. A situation of legal uncertainty exposes citizens excessively to the power of public authorities and opens up panoptic surveillance scenarios that are too dangerous.
[1] Giuseppe Mobilio is assistant professor in Constitutional Law at the University of Florence.
[2] T. Christakis, et al., Mapping the Use of Facial Recognition in Public Spaces in Europe – Part 3: Facial Recognition for Authorisation Purposes. Report of the AI- Regulation Chair, MIAI, May 2022.
[3] M. Tzanou, “The EU as an emerging ‘Surveillance Society’: The function creep case study and challenges to privacy and data protection”, in Vienna Journal on International Constitutional Law, 4, 3, 2010, 407 ff.
[4] FRA, Facial recognition technology: fundamental rights considerations in the context of law enforcement, 27 November 2019, 13 ff.
[5] N. Vavoula, “Databases for Non-EU Nationals and the Right to Private Life: Towards a System of Generalised Surveillance of Movement?”, in F. Bignami (eds.), EU Law in Populist Times, Cambridge University Press, Cambridge, 2020, 227 ff.
[6] N. Vavoula, “Interoperability of EU Information Systems: The Deathblow to the Rights to Privacy and Personal Data Protection of Third-Country Nationals?”, in European Public Law, 26, 1, 2020, 131.
[7] As well as from the European Travel Information and Authorisation System (ETIAS) and the European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN).
[8] H. Aden, “Interoperability Between EU Policing and Migration Databases: Risks for Privacy”, in European Public Law, 26, 1, 2020, 93, 100 ff.
[9] See also E. Longo, Il possibile impatto dell’AI Act sull’immigrazione: iniziamo a discuterne, in ADiM Blog, February 2023.
[10] G. Mobilio, “Your face is not new to me – Regulating the surveillance power of facial recognition technologies”, in Internet Policy Review, 12, 1, 2023, 1 ff.
