Biometrics in the EU: Navigating the GDPR, AI Act

Biometric technologies have long been used to identify individuals, primarily in security and law enforcement contexts. Today, however, their use is expanding rapidly into new domains. Driven by advances in artificial intelligence, biometric technologies now claim the ability to infer a person's emotions, personality traits and other characteristics based solely on physical features.

These tools are increasingly used across various settings: businesses analyze facial expressions to gauge customer sentiment and evaluate job candidates, employers deploy monitoring tools to measure employee focus, and online platforms leverage biometric software to enforce age restrictions.

European regulations have evolved in response to this changing landscape. Since 2018, the EU General Data Protection Regulation has governed the processing of biometric data as a form of personal data and, when used to uniquely identify individuals, as "special category data." The processing of special category data is generally prohibited unless the individual provides explicit consent or another condition under Article 9(2) applies.

Building on this foundation, the EU AI Act introduces a new layer of regulation that targets four types of biometrics and classifies them by risk — ranging from prohibited to high risk and limited risk — based on their purpose and context of use.

Remote biometric identification