Debates over the regulation of biometric artificial intelligence systems have been among the most divisive elements of the EU’s proposed Artificial Intelligence Act. Since the European Commission unveiled its draft, the European Parliament, the Commission itself, and the Council of the European Union have taken markedly different stances, particularly on definitions, classifications, and permissible uses of biometric technologies.
The AI Act’s treatment of biometrics is notably more granular than that of the General Data Protection Regulation (GDPR). While the GDPR contains a single definition—biometric data under Article 4(14)—the Commission’s proposal introduces six distinct terms: biometric data, emotion recognition system, biometric categorization system, remote biometric identification system, real-time remote biometric identification system, and post-remote biometric identification system. The Parliament’s position paper adds three more: biometric-based data, biometric identification, and biometric verification, while broadening “biometric categorization” to include inferences drawn from biometric data. The Council, meanwhile, defines “general purpose AI” in a way that could encompass biometric data when tied to image or speech recognition.
These definitional expansions are not purely academic. They underpin diverging regulatory approaches. The Commission categorizes biometric categorization systems as “high-risk,” whereas the Parliament deems them an unacceptable risk and bans them outright, save for therapeutic uses. The Council removes them from the high-risk category entirely, imposing only transparency obligations. The Parliament’s approach is the strictest, enlarging the list of banned biometric AI systems and reclassifying others into higher-risk tiers. It distinguishes biometric verification systems—one-to-one matching—from broader biometric identification systems—one-to-many matching—placing verification in a lower-risk bracket.
Real-time remote biometric identification in public spaces has been the most contested point. The Commission’s initial stance was to prohibit law enforcement use, with exceptions for locating crime victims (including missing children), preventing imminent threats such as terrorist attacks, and detecting suspects facing charges with penalties of at least three years’ imprisonment. The Council expanded these exceptions, a move that coincided with French legislative plans to deploy facial recognition for the Paris 2024 Olympics. The Parliament took the opposite tack, advocating a complete ban on such systems in public spaces for both public and private actors.
In the financial sector, the Parliament’s text offers a notable carve-out. Annex III – paragraph 1(5)(b) exempts AI systems used for detecting financial fraud from the high-risk category applied to creditworthiness and credit scoring tools. “AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score (are high risk), with the exception of AI systems used for the purpose of detecting financial fraud.” Yet the scope of this exemption remains ambiguous. It is unclear whether it applies solely to credit assessment contexts or extends to other financial services, such as payment processing, where fraud prevention is integral to authentication and transaction monitoring.
Recital 37 reinforces the exemption: “AI systems provided for by (EU) law for the purpose of detecting fraud in the offering of financial services should not be considered as high-risk under this Regulation.” However, no EU law currently mandates AI use for fraud detection, though regulators encourage it. The draft Payment Services Regulations note: “To be able to prevent ever new types of fraud, transaction monitoring should be constantly improved, making full use of technology such as artificial intelligence.” The interaction between this carve-out and the Parliament’s classification of biometric systems as high risk remains unresolved, especially for biometric fraud detection tools.
The Parliament’s Recital 33a reflects GDPR influence, asserting: “As biometric data constitute a special category of sensitive personal data in accordance with (GDPR) Regulation 2016/679, it is appropriate to classify as high-risk several critical use-cases of biometric and biometrics-based systems…” Yet under GDPR Article 9(1), biometric data is special-category only when used for uniquely identifying a person. This creates a legal divergence: emotion recognition, for example, may be high risk or prohibited under the AI Act, but not special-category under GDPR unless it reveals health data. Similarly, biometric categorization might expose political orientation, triggering GDPR protections for political opinion data rather than biometric data per se.
Such nuances are expected to surface in trilogue negotiations, underscoring that biometric categorization and emotion recognition are not inherently special-category data under GDPR, even if classified as banned or high risk under the AI Act. Stakeholders will need to navigate these overlapping but distinct regulatory frameworks as the legislative process advances.