Continuing to explore the European Union Artificial Intelligence Act, in today’s blog we shall see which practices have been prohibited by the Commission regarding the use of AI. This information all comes from Chapter II Article 5 of the law.
The article can be roughly divided into two sections:
A list of practices that are outright prohibited in the new legislation
Specifications to use the contentious ‘real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement
1. The Act prohibits the practises of placing on the market an AI system that:
Subliminally (beyond a person’s ability to detect them) distorts the behaviour of individuals, in such a manner that is likely to cause harm to themselves or others.
Exploits vulnerable people based on age, disability or specific social or economic situation, by distorting their behaviour to make harmful decisions.
Evaluates or classifies an individual or group based on their social behaviour or known, inferred or predicted personality, with a social score that results in unfavourable treatment that is unrelated or disproportionate to the collected data.
Attempts to predict the criminal propensity of an individual based upon profiling their characteristics.
Creates or expands facial recognition databases through the untargeted scraping of faces from the internet or CCTV.
Infers emotions of individuals in educational institutions or the workplace, except when it is to be used for medical or safety reasons.
Uses biometric categorisation systems that categorise individuals based on biometric data to infer race, politics, trade union membership, religion, sex life or orientation; which does not apply to lawfully acquired datasets such as images.
2. The law heavily regulates the use of ‘Real-Time’ Remote Biometric Identification Systems
The Act also prohibits the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement, however unlike other practises, the law provides certain exemptions and lays out a framework to regulate these exemptions.
The law defines ‘biometric identification’ as the ‘automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing biometric data of that individual to biometric data of individuals stored in a database.’ Doing so ‘remotely’ is understood to mean being without the active involvement of the targeted individual, usually from a distance. And ‘real-time’ entails it occurring without a significant delay.
The exemptions where this can be used are when the search is for victims of abduction or human trafficking or missing, the search is to prevent a specific, substantial and imminent threat to life or physical safety, or the search is for a person suspected of having committed a criminal offence which carries a sentence of four years or greater.
The system can only be used to identify the specific individual targeted. Any decision must take into account the potential harm if the system were not used and the consequences of using the system on the rights and freedom of people, and should comply with relevant safeguards and can only be permitted (except in cases of urgency) if the law enforcement authority has completed a fundamental rights impact assessment.
Any usage must also require the authorisation by a judicial or independent administrative authority. In cases of urgency, an approval may be waived but a request must still be made, and its use must halt if the request is then denied, with the findings discarded and deleted.
The act mandates that any usage of the biometric systems shall be referred to the relevant market surveillance and national data protection authorities.
In order to use this particular AI technology, Member States must lay down in their respective national laws the necessary detailed rules for the request, issuance, exercise, supervision and authorisation of the technology. Member states can issue more restrictive law than the European Commission has laid out. As well as ensuring that national market surveillance and data protection authorities submit an annual report to the European Commission on the use of biometric identification technology.
Finally, the European Commission is required to publish annual reports on the use of AI identification systems.
We have seen that the new EU has a very limited scope for outright prohibiting the use of AI, only targeting the most egregious and pernicious possible uses of the technology. Additionally, it recognises the necessity of sometimes using contentious technology, but still provides rigorous safeguards in order to ensure the protection of the rights and liberties of Europeans.
Comentarios