This article examines the intersection of biometric data and facial recognition in the EU, highlighting the legal and cybersecurity frameworks that shape their use. Drawing on GDPR requirements and current debates on ethical deployment, it explores how EU regulations seek to balance innovation with the protection of privacy and fundamental rights.

In a decision rendered on 30 December, 2024, the Conseil d’État (Council of State) dismissed the appeal made by four associations against Decree 2023-283 on the use of drones by law enforcement agencies.  The Conseil d’État has reversed its position and authorised law enforcement agencies to use drones.  It stated that the existing legal framework guaranteed compliance with the requirements for the protection of personal data and privacy as laid down by national and European law.

On November 23rd, 2022 an article by Le Parisien, a French Newspaper, revealed that the French Government had dropped its project to deploy facial recognition to support security arrangements at the 2024 Paris Olympics. In fact, the debate on the possible implementation of facial recognition systems during the Olympic Games is part of a broader debate which divides political leaders on whether AI-driven biometric systems should be used to monitor public places.

The use of facial recognition technologies for criminal investigation purposes has been under the spotlight for many years in France and in the European Union. In this article accepted for publication in the European Review of Digital Administration & Law, T. Christakis & A. Lodie discuss a major decision issued last year by the French Conseil d’Etat.

The Italian ‘Garante per la protezione dei dati personali’ (Italian data protection authority) published a press release on November 14th, 2022, in which it announced that it had opened two separate investigations into the use of ‘smart video systems’ by two Italian municipalities.

The ‘Commission Nationale de l’Informatique et des Libertés’ (CNIL – the French DPA) released its final decision on October 20th, 2022, sanctioning Clearview AI for its unlawful activity, which consists of collecting images of millions of individuals from the open web without any legal basis under the GDPR for doing so. 

On September 24th, 2022, the French NGO ‘La Quadrature du Net’ challenged the use of technology-driven tools by French police forces before the Commission Nationale de l’Informatique et des Libertés (CNIL – French DPA). By means of three separate complaints, the NGO wants to raise awareness about what it calls the ‘technopolice’, which amounts to the police using methods that may pose risks to privacy. These complaints follow a petition published by LQDN which collected 15 248 signatures.

An Argentinian Court has declared the use of the ‘Facial Recognition for Fugitives System’ (Sistema de Reconocimiento Facial de Prófugos), deployed in Buenos Aires in 2019, unconstitutional. In April 2022, in response to the legal challenge presented by Observatorio de Derecho Informático Argentino (ODIA), and several other human rights organisations, the judge suspended use of the system. 

On July 13th, 2022, the Greek Data Protection Authority (DPA) released its decision about the claims brought by the NGO Homo Digitalis on the processing of individuals’ biometric data by Clearview and fined Clearview 20 million euros. This lawsuit follows many similar cases filed by Noyb, Privacy International, and the Hermès Center for transparency and Digital Human Rights before the French, British, Italian and Austrian DPAs to stop the American start-up collecting biometric data belonging to European citizens.

In June 2022, the Ada Lovelace institute published an ‘Independent legal review of the governance of biometric data in England and Wales’ written by Matthew Ryder. This review aims to address the current legal uncertainty concerning the collection, use and processing of biometric data in England and Wales. It also puts forward 10 recommendations to improve the legal framework as well as the governance of biometrics in England and Wales.

At a time when ad hoc legislation on AI is being negotiated at the European level, the French Senate published on May 10, 2022, a report proposing regulations on biometric recognition in public spaces. The purpose of this report is to put forward a framework for facial recognition experimentation and to reinforce French and European technological sovereignty.

In 2019, Buenos Aires City Council introduced the ‘Facial Recognition for Fugitives System’ (Sistema de Reconocimiento Facial de Prófugos (SNRP)), which involved deploying 9,500 surveillance cameras equipped with facial recognition technology.