Real-time and post-hoc biometric identification in public spaces.
Abstract
Biometric-identification governance covers real-time and post-hoc biometric identification in public spaces — among the most consequential surveillance questions in AI law, and one where the editorial read of the field is settled. Across the catalogued instruments, four govern it directly — the EU AI Act through a prohibition with carve-outs, the GDPR through special-category-data and automated-decision rules, the EU Platform Work Directive through a one-to-many biometric-identification prohibition for platform workers, and China's Deep Synthesis Provisions through a consent requirement for biometric-information editing — while most other regimes address it only implicitly or remain silent. This article maps, with primary-source citations, which instruments govern biometric identification, which touch it implicitly, and which are silent.
Explainer
Biometric identification — matching faces or other physical traits against a database, whether in real time or after the fact — is governed most directly in the European Union, and even there the headline rule is narrower than it first appears. The EU AI Act (Regulation (EU) 2024/1689) prohibits real-time remote biometric identification in publicly accessible spaces under Article 5(1)(h), but the same provision carves out law-enforcement uses — searching for victims, preventing imminent threats, and locating serious-crime suspects — and Article 26(10) permits post-hoc identification subject to judicial authorisation after the fact. The General Data Protection Regulation reaches the same practice from a different angle, treating biometric data used for identification as a special category under Article 9 and giving individuals a qualified right against solely automated decisions under Article 22. Two further instruments govern narrower facets of the same practice: the EU Platform Work Directive (Directive (EU) 2024/2831) prohibits digital labour platforms from identifying platform workers by one-to-many biometric comparison against a database (Article 7), and China's Deep Synthesis Provisions require the separate consent of any person whose facial or vocal biometric information is edited (Article 14).
Beyond these direct governors the catalogued coverage thins quickly. The United States' Executive Order 14110, the United Kingdom's 2023 AI white paper, and the Council of Europe's AI Convention each touch biometric identification only implicitly — through general civil-rights, data-protection, or non-discrimination provisions rather than a dedicated rule — while a further set of instruments, including the G7 Hiroshima code, the OECD AI Principles, China's Generative AI Measures, and the 2024 UN resolution, are silent on it altogether. That uneven map is itself the governance reality: in a comparative US/EU/UK study, Almeida, Shmarko and Lomas (2022) find there is no standardised human-rights framework that applies cleanly to facial-recognition deployment.
The empirical case for scrutiny rests on well-documented accuracy disparities. Buolamwini and Gebru's 2018 'Gender Shades' audit found commercial gender-classification error rates as high as 34.7 per cent for darker-skinned women against under one per cent for lighter-skinned men, and the US National Institute of Standards and Technology's 2019 Face Recognition Vendor Test reported false-positive differentials varying by factors of ten to over a hundred across demographic groups. Those findings underpin the concern that biometric identification, deployed at scale, distributes its errors unequally.
Policy Window records the field's empirical consensus as settled — not because the policy debate is closed, but because the catalogued instruments and the evidence behind them point consistently in one direction: the technology's risks are documented, and the binding governance response is concentrated in the European Union while most other regimes address it only implicitly or not at all. Every claim here traces to the primary instruments and peer-reviewed sources cited throughout this article; the coverage table below shows, instrument by instrument, which regimes govern biometric identification directly, which reach it only implicitly, and which are silent.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 37 regimes are silent, leaving gaps that future policy work could address.
Regulatory approaches
The instruments that touch biometric identification do so through markedly different legal modalities, which the cross-jurisdiction verdict table does not separate out. Four are distinguishable. (1) Prohibition-with-carve-out: the EU AI Act bans real-time remote biometric identification (RBI) in publicly accessible spaces for law enforcement (Art. 5(1)(h)), then re-admits it for three enumerated purposes subject to prior judicial or independent administrative authorisation, a fundamental-rights impact assessment, and registration in the EU database (Art. 5(2)-(7)); post-hoc RBI is regulated separately as high-risk, requiring authorisation "ex-ante, or without undue delay and no later than 48 hours" (Art. 26(10)). (2) Data-protection gatekeeping: the GDPR treats biometric data processed for unique identification as a special category presumptively prohibited unless an Art. 9(2) condition applies, layered with Art. 22 limits on solely-automated decisions. (3) Sectoral/principles-based delegation: the UK's 2023 White Paper assigns oversight to existing regulators (notably the ICO) rather than creating a biometric-specific rule (DSIT 2023). (4) Sub-national prohibition: in the US, government use has been curbed not federally but by ordinance, beginning with San Francisco's 2019 ban on municipal-agency use (San Francisco Administrative Code, Stop Secret Surveillance Ordinance 2019; Ordinance No. 107-19). This patchwork is consistent with comparative work finding facial-recognition regulation for arrests across democracies remains inconsistent and unclear 1, and with the broader US/EU/UK assessment that "there is no standardised human rights framework" readily applicable to deployment 2. The composite pattern - Policy Window's editorial reading - is that no jurisdiction relies on a single mechanism; the EU stacks all four logics, while the US substitutes locality-level bans for an absent national rule, a gap some argue should be filled through co-constructed, publicly participatory policymaking 3. China adds a further modality through its deep-synthesis provisions, which require providers of facial or vocal biometric editing functions to prompt users to lawfully notify, and obtain the separate consent of, the person being edited (Art. 14).
Key fault lines
Beneath the verdict map lie several genuinely contested questions on which jurisdictions and commentators diverge. First is the real-time/post-hoc boundary. The EU AI Act draws its sharpest line here - near-prohibition for live RBI (Art. 5(1)(h)) but a permissive high-risk regime for retrospective matching (Art. 26(10)) - yet scholars argue retrospective facial recognition is itself a "step change" in surveillance whose chilling effects and weak legal basis warrant comparable constraint, implying the statutory line may be under-protective 4. Second is the locus of regulation: EU law concentrates on law-enforcement deployments in public space, whereas the strongest documented US enforcement levers operate against private actors through biometric-privacy statutes (Illinois BIPA; Texas CUBI) - leaving the public-sector identification context comparatively under-governed in the US, an asymmetry Policy Window flags as the field's central coverage gap. Third is the regulatory form itself: a hard ban (San Francisco 2019) versus a moratorium (California's body-camera limit, effective 1 January 2020) versus proportionality-and-authorisation gating (EU AI Act; CoE Convention Arts. 10-11), with case-study analysis arguing policing use needs a tailored framework grounded in necessity and proportionality rather than ad hoc deployment 5. UK litigation underscores how exacting that gating can be: in Bridges v South Wales Police, live automatic facial recognition was held unlawful on Article 8 privacy, data-protection-impact-assessment, and public-sector-equality-duty grounds 6. Fourth, the carve-outs are themselves contested: the EU's three law-enforcement exceptions, the GDPR's Art. 9(2)(g) "substantial public interest" gateway, and Art. 22(2) disapplications each shift the operational default toward permitted-with-overlay rather than prohibited - a drafting choice critics characterise as the exception swallowing the rule, and which the catalogue records as a power-asymmetry note rather than a settled verdict. EU law also reaches private-sector employment beyond the law-enforcement focus described here: the Platform Work Directive prohibits digital labour platforms from processing biometric data to establish a worker's identity by one-to-many comparison (Directive (EU) 2024/2831, Article 7).
Trajectory / what is changing
Several dated developments are moving this topic from text to operation. The EU AI Act entered into force on 1 August 2024; its Article 5 prohibitions - including the real-time RBI ban - became applicable on 2 February 2025, ahead of most of the Regulation, and became enforceable by designated national authorities from 2 August 2025, with penalties up to EUR 35 million or 7% of worldwide turnover (Regulation (EU) 2024/1689, Arts. 99, 113). On 4 February 2025 the European Commission published non-binding Guidelines on prohibited AI practices interpreting Article 5; they clarify that "publicly accessible spaces" reaches streets and open squares but excludes controlled-access environments such as prisons, and that "real-time" denotes negligible capture-to-identification delay (European Commission, Guidelines on Prohibited Artificial Intelligence Practices, 4 Feb 2025). Whether this codification is filling a true vacuum is contested: some argue the pre-existing EU framework already contained norms "directly or indirectly applicable to facial recognition" in policing 7, while others frame domestic regulation as an "international obligation" to treat the technology as unacceptable-risk 8. In parallel, the Council of Europe Framework Convention on Artificial Intelligence (CETS No. 225) - which obliges parties to protect privacy and non-discrimination across the AI lifecycle (Arts. 10-11) - was opened for signature on 5 September 2024 (Council of Europe 2024); its entry into force requires five ratifications (including three Council of Europe members), and while some trackers report that threshold was reached in late 2025 with the European Union ratifying in 2026, this is not yet confirmed against the Council of Europe primary source. The net trajectory, in Policy Window's editorial reading, is convergence on procedural gating (authorisation, impact assessment, registration) rather than on outright prohibition, even as scoping reviews continue to find the empirical evidence base on real-world law-enforcement use thin 9 and the long-silent regimes catalogued here remain candidates for future codification.
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by General Data Protection Regulation (GDPR) on (governs). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Biometric Identification — candidates for future policy work.
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- Interim Measures for Generative AI Service ManagementCN
- G7 Hiroshima AI Process Code of ConductG7
- OECD AI Principles (Recommendation)OECD
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- NIST AI Risk Management FrameworkUS
- Bletchley Declaration on AI Safetyglobal
- Seoul Declaration on Safe, Innovative and Inclusive AIglobal
- NIST AI RMF Generative AI ProfileUS
- California SB-1047: Safe and Secure Innovation for Frontier AI Models ActUS
- India Digital Personal Data Protection Act + AI Advisory (MEITY)IN
- Brazil AI Bill (PL 2338/2023)BR
- ASEAN Guide on AI Governance and EthicsASEAN
- African Union Continental AI StrategyAfrican_Union
- Anthropic Responsible Scaling Policy (RSP) v2US
- OpenAI Preparedness FrameworkUS
- Google DeepMind Frontier Safety FrameworkUS
- Meta Frontier AI FrameworkUS
- UK-US AI Safety Institute Memorandum of Understandingglobal
- White House Voluntary AI CommitmentsUS
- Singapore Model AI Governance Framework for Generative AISG
- Japan METI AI Guidelines for BusinessJP
- EU General-Purpose AI Code of PracticeEU
- OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI)US
- GSA Generative AI and Specialized Computing Infrastructure Acquisition Resource GuideUS
- DoD Responsible AI Strategy and Implementation PathwayUS
- FedRAMP AI Cloud Procurement GuidanceUS
- DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)US
- California SB-53: Transparency in Frontier Artificial Intelligence Act (TFAIA)US
- California SB 243: Companion ChatbotsUS
- California SB 942: AI Transparency ActUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- New York RAISE Act: Responsible AI Safety and Education ActUS
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- Italy Law No. 132/2025 on Artificial Intelligence (Legge 23 settembre 2025, n. 132)IT
- Japan AI Promotion Act (Act on the Promotion of Research, Development and Utilization of AI-Related Technologies)JP
- UN Global Digital CompactUN
See also
Further reading
13 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Facial recognition technology in law enforcement: a scoping review of existing empirical studies Peer-reviewed✦ AIScoping review mapping the empirical evidence base on law-enforcement FRT, identifying gaps in research on real-world identification use and its governance.
- Global perspectives on regulating facial recognition technology utilization for criminal justice arrests Peer-reviewed✦ AIComparative study of facial-recognition regulation for arrests across democracies finds frameworks are inconsistent and unclear, raising privacy and civil-liberties risks.
- Facial Recognition Technology in Policing and Security—Case Studies in Regulation Peer-reviewed✦ AIThrough regulatory case studies, argues facial recognition in policing requires a tailored governance framework grounded in necessity and proportionality rather than ad hoc deployment.
- Facial recognition technology: regulations, rights and the rule of law Peer-reviewed✦ AIArgues states have an "international obligation...to domestically regulate" facial recognition as an unacceptable-risk AI system to protect human rights and the rule of law.
- Police Use of Retrospective Facial Recognition Technology: A Step Change in Surveillance Capability Necessitating an Evolution of the Human Rights Law Framework Peer-reviewed✦ AIArgues retrospective facial recognition is a step change in police surveillance whose chilling effects and weak legal basis demand an evolved human-rights framework.
- The Use of Facial Recognition Technology by Law Enforcement in Europe: a Non-Orwellian Draft Proposal Peer-reviewed✦ AIArgues the EU framework already contains norms "directly or indirectly applicable to facial recognition" in policing, and drafts a dedicated rights-protective law for its use.
- The ethics of facial recognition technologies, surveillance, and accountability in an age of artificial intelligence Peer-reviewed✦ AIComparative US/EU/UK analysis concluding "there is no standardised human rights framework and regulatory requirements that can be easily applied to FRT rollout".
- Police use of facial recognition technology: The potential for engaging the public through co-constructed policy-making Peer-reviewed✦ AIArgues meaningful public participation and an oversight framework should govern police adoption of FRT, presenting co-constructed policymaking as a model for addressing surveillance concerns.
- Automatic Facial Recognition and the Intensification of Police Surveillance Peer-reviewed✦ AIAnalysing Bridges v South Wales Police, shows live AFR was ruled unlawful on Article 8 privacy, data-protection-impact-assessment, and public-sector-equality-duty grounds.
- Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects Research institute✦ AICross-algorithm benchmark finding false-positive differentials "vary by factors of 10 to beyond 100 times" across demographics — the empirical basis for accuracy-disparity rules.
- Aadhaar: Governing with Biometrics Peer-reviewed✦ AIAnalyses India's Aadhaar as a biometric mode of governance that links bodies to databases, producing new regimes of welfare inclusion and exclusion.
- Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification Peer-reviewed✦ AIAudit of commercial classifiers showing "darker-skinned females are the most misclassified group (with error rates of up to 34.7%)" versus 0.8% for lighter-skinned males.
- Anthropomorphic AI terms create gaps in accountability | Brookings Think tank✦ AICommentary on how anthropomorphic AI language obscures accountability.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Pedro Robles, Daniel J. Mallinson, Eric Best, Cheryl Devaney, Lauren Azevedo (2025) Global perspectives on regulating facial recognition technology utilization for criminal justice arrests, Global Public Policy and Governance. 10.1007/s43508-025-00117-9 — Comparative study of facial-recognition regulation for arrests across democracies finds frameworks are inconsistent and unclear, raising privacy and civil-liberties risks. ↩
- Almeida, Shmarko & Lomas (2022) The ethics of facial recognition technologies, surveillance, and accountability in an age of artificial intelligence, AI and Ethics. 10.1007/s43681-021-00077-w — Comparative US/EU/UK analysis concluding "there is no standardised human rights framework and regulatory requirements that can be easily applied to FRT rollout". ↩
- Dallas Hill, Christopher D. O'Connor, Andrea Slane (2022) Police use of facial recognition technology: The potential for engaging the public through co-constructed policy-making, International Journal of Police Science & Management. 10.1177/14613557221089558 — Argues meaningful public participation and an oversight framework should govern police adoption of FRT, presenting co-constructed policymaking as a model for addressing surveillance concerns. ↩
- Daragh Murray (2024) Police Use of Retrospective Facial Recognition Technology: A Step Change in Surveillance Capability Necessitating an Evolution of the Human Rights Law Framework, The Modern Law Review. 10.1111/1468-2230.12862 — Argues retrospective facial recognition is a step change in police surveillance whose chilling effects and weak legal basis demand an evolved human-rights framework. ↩
- Nessa Lynch (2024) Facial Recognition Technology in Policing and Security—Case Studies in Regulation, Laws. 10.3390/laws13030035 — Through regulatory case studies, argues facial recognition in policing requires a tailored governance framework grounded in necessity and proportionality rather than ad hoc deployment. ↩
- Bernard Keenan (2021) Automatic Facial Recognition and the Intensification of Police Surveillance, The Modern Law Review. 10.1111/1468-2230.12623 — Analysing Bridges v South Wales Police, shows live AFR was ruled unlawful on Article 8 privacy, data-protection-impact-assessment, and public-sector-equality-duty grounds. ↩
- Raposo (2023) The Use of Facial Recognition Technology by Law Enforcement in Europe: a Non-Orwellian Draft Proposal, European Journal on Criminal Policy and Research. 10.1007/s10610-022-09512-y — Argues the EU framework already contains norms "directly or indirectly applicable to facial recognition" in policing, and drafts a dedicated rights-protective law for its use. ↩
- Mais Qandeel (2024) Facial recognition technology: regulations, rights and the rule of law, Frontiers in Big Data. 10.3389/fdata.2024.1354659 — Argues states have an "international obligation...to domestically regulate" facial recognition as an unacceptable-risk AI system to protect human rights and the rule of law. ↩
- Emelie Stiernströmer (2026) Facial recognition technology in law enforcement: a scoping review of existing empirical studies, Police Practice and Research. 10.1080/15614263.2026.2627208 — Scoping review mapping the empirical evidence base on law-enforcement FRT, identifying gaps in research on real-world identification use and its governance. ↩
- EU-AIA-2024: Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules
- US-EO-14110: §7 civil rights; sectoral agencies retain authority
- UK-WHITEPAPER-2023: ICO + Surveillance Camera Commissioner remit
- COE-AI-CONV: Arts. 10-11 (privacy + non-discrimination)
- EU-GDPR-2016: Art. 9 special-category processing (biometric data for unique identification); Art. 22 ADM with safeguards
- UNESCO-AI-ETHICS-2021: Proportionality & do-no-harm principle (AI should not be used for mass surveillance/social scoring) + Right to privacy principle (para 74, biometric data) — no dedicated biometric-ID provision
- EU-PWD-2024: Directive (EU) 2024/2831, Article 7
- CN-DEEPSYN-2022: Art. 14
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/biometric-id — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
8 instruments tracked.
Does governance work? — the social-science evidence
What the peer-reviewed social science shows: whether the harm this topic addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Demographic accuracy disparities in facial recognition are robust and replicated. NIST's Face Recognition Vendor Test (189 algorithms, 18.27M images) found one-to-one false-positive rates for Asian and African-American faces elevated 10-100x over white males, with the highest one-to-many false positives for African-American women; Buolamwini & Gebru's Gender Shades found commercial gender-classification error up to 34.7% for darker-skinned women vs 0.8% for lighter-skinned men. Documented downstream harm includes at least 8-15 US wrongful arrests, nearly all of Black people. Honest caveat: magnitude is highly algorithm-dependent — the most accurate algorithms show small or statistically undetectable differentials — so the harm is real but not uniform across systems.
Sources: Grother, Ngan & Hanaoka 2019 (NISTIR 8280, FRVT Part 3: Demographic Effects); Buolamwini & Gebru 2018 (Gender Shades, PMLR 81); Hill 2020 / Williams v. City of Detroit (ACLU 2021)
Rigorous evidence that GOVERNANCE of biometric ID reduces the documented harms is sparse. The one quantitative impact evaluation of police facial-recognition policy (Johnson et al. 2024, difference-in-differences across 268 US cities) studies effects on violent crime — a crime-control outcome, not misidentification harm — from a single research group, and does not establish that any safeguard regime curbs wrongful identification. Direct evidence on procedural safeguards points the other way: in the known wrongful-arrest cases police are reported to have bypassed required corroboration/probable-cause standards, and the strongest documented enforcement levers are private-sector biometric-privacy laws — Illinois BIPA (e.g. Meta's $650M settlement) and the separate Texas CUBI law (a $1.4B Meta settlement) — which govern private actors, not the law-enforcement context where the arrests occur. No replicated study shows a specific regulatory regime measurably reduces demographic misidentification harm.
Sources: Johnson et al. 2024 (Cities, 'Police facial recognition applications and violent crime control in U.S. cities'); Harwell & Schaffer 2025 (Washington Post, 'Arrested by AI'); Illinois BIPA (Rosenbach v. Six Flags 2019; Meta $650M settlement 2021); Texas CUBI (Meta $1.4B settlement 2024)