What to know about the EU’s facial recognition regulation – and how to comply

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Sébastien Louradour, Fellow, Artifical Intelligence and Machine Learning, World Economic Forum


  • Facial Recognition Technology (FRT) is a central concern of the European Commission’s proposed AI regulation.
  • To successfully comply, tech providers will need to build tailored approaches to risk management and quality processes.
  • In partnership with industry, government and civil society, the World Economic Forum has developed an audit framework and certification scheme for tech providers.

The European Commission’s (EC) proposed Artificial Intelligence (AI) regulation – a much-awaited piece of legislation – is out. While this text must still go through consultations within the EU before its adoption, the proposal already provides a good sense of how the EU considers the development of AI within the years to come: by following a risk-based approach to regulation.

Among the identified risks, remote biometric systems, which include Facial Recognition Technology (FRT), are a central concern of the drafted proposal:

  • AI systems intended to be used for the ‘real-time’ and ‘post’ remote biometric identification of natural persons are considered a high-level risk system and would require an ex-ante evaluation of the technology provider to attest its compliance before getting access to the EU market, and an ex-post evaluation of the technology provider (detailed below).
  • In addition, “real-time” remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement are mostly prohibited unless they serve very limited exceptions related to public safety such as the targeted search of missing persons or the prevention of imminent terrorist threats (detailed in Chapter 2, Article 5, p.43-44). Additional requirements for this use-case would include an ex-ante evaluation to grant authorisation to law enforcement agencies, i.e. each individual use should be granted by a “judicial authority or by an independent administrative authority of the Member State”, unless it is operated in a “duly justified situation of urgency”. Finally, national laws could determine whether they fully or partially authorize the use of FRT for this specific use-case.

Other use-cases such as FRT for authentication processes are not part of the list of high-level risks and thus should require a lighter level of regulation.

Ex-ante and ex-post evaluations required by use-case in the EU's facial recognition regulation
Ex-ante and ex-post evaluations required by use-case

Ex-ante and ex-post evaluation of technology providers

The ex-ante evaluation (conformity assessment of providers) would include:

  • A review of the compliance with the requirements of Chapter 2;
  • An assessment of the quality management system, which includes the risk management procedures, and the post-market monitoring system; and,
  • The assessment of the technical documentation of the designated AI system.

Certifying the quality of the processes rather than the algorithm performance

While technology providers have to maintain the highest level of performance and accuracy of their systems, this necessary step isn’t the most critical to prevent harm. The EC doesn’t detail any threshold of accuracy to meet, but rather requires a robust and documented risk-mitigation process designed to prevent harm. The deployment of a quality-management system is an important step as it will require providers to design adequate internal processes and procedures for the active mitigation of potential risks.

A focus on risk management and processes

While it will be up to the technology providers to set up their own quality processes, third-party notified bodies will have the responsibility of attesting providers’ compliance with the new EU legislation.

To succeed, tech providers will need to build tailored approaches to design, implement and run these adequate processes. Providers will also have to work closely with the user of the system to anticipate potential risks and propose mitigation processes to prevent them.

How to anticipate the coming regulation

Over the past two years, the World Economic Forum has partnered with industry players, government agencies and civil society to draft a proposed policy framework for responsible limits on FRT.

Among our proposed oversight strategies, we have detailed a self-assessment questionnaire, a third-party audit and a certification scheme. The EU’s proposed concept of third-party audit (i.e. conformity assessment) suggests the same model of oversight and allows for rapid scale-up and deployment of certification bodies (i.e. notified bodies) to run the third-party audits across the EU.

The proposed conformity assessment procedure – which reviews the control of the compliance of the requirements stated in Title III of the proposed regulation – will first require notified bodies to draft dedicated audit frameworks and certification schemes. These two documents will be used to detail to audited organizations how the certification will play out.

In this regard, we encourage providers to consider the audit framework and certification scheme for the quality management system we’ve detailed in the white paper published in December 2020 in collaboration with the French accredited certification body AFNOR Certification.

Steps of the certification scheme detailed in the white paper - World Economic Forum, Responsible Limits on Facial Recognition Use Case: Flow Management, December 2020
Steps of the certification scheme detailed in the World Economic Forum white paper

Among the requirements of Title III, providers will need to put in place a risk management system focused on the analysis, anticipation and mitigation processes of potential risks. (We go over a similar structured approach in sections 2 and 3 of our audit framework to build the right risk assessment processes and prevent the occurrence of biases and discrimination.)

The post-market monitoring system defined in Article 61 is a mechanism to ensure that compliance with the requirements is met when the system is in operation. This critical point is defined in the audit framework we’ve designed. We’ve considered three stages of analysis when the third-party audit is carried out:

1. Ensuring the right design of the quality management processes to comply with the requirements;

2. Controlling correct implementation of the processes; and,

3. Validating that the system operates in accordance with the requirements.

Notified bodies will use certification schemes to conduct conformity assessments. These certification schemes will provide clarity and transparency to providers on how the assessment will be conducted. We have dedicated a chapter of our white paper (Part 4) to explain how to conduct certification of FRT systems, from the preparation phase to the certification phase and the issuance of certificate.

An additional way of preparing for a third-party audit is organizing an internal self-assessment prior to the audit. This activity will provide materials to attest if the system is audit-ready or requires further remediation. For the pilot phase of our policy project, we partnered with Narita Airport to draft and test a self-assessment questionnaire for the responsible use of FRT in airports. (The responses from Narita are publicly accessible in the appendix of our white paper.) AI, machine learning, technology

How is the Forum helping governments to responsibly adopt AI technology?

The World Economic Forum’s Centre for the Fourth Industrial Revolution, in partnership with the UK government, has developed guidelines for more ethical and efficient government procurement of artificial intelligence (AI) technology. Governments across Europe, Latin America and the Middle East are piloting these guidelines to improve their AI procurement processes.

Our guidelines not only serve as a handy reference tool for governments looking to adopt AI technology, but also set baseline standards for effective, responsible public procurement and deployment of AI – standards that can be eventually adopted by industries.

We invite organizations that are interested in the future of AI and machine learning to get involved in this initiative. Read more about our impact.

While the certification scheme and the audit framework we have detailed will have to evolve to comply with this legislation, they already provide good examples to follow.

When it comes to the use of FRT for identification purposes, maximum precaution should be taken. The proposed EU legislation is, in this sense, ambitious – and will help build trust and transparency among EU citizens and allow for the benefits of this technology to be safely deployed.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

INTERVIEW: UN’s top official in North Korea foresees ‘surge’ in humanitarian aid

Marco Polo’s Dream

Trump ‘used’ G20 to side with Putin and split climate and trade packs

Privatisation and public health: a question of Human Rights

One Day in Beijing

What does global health translate into?

Nearly a third of the globe is now on Facebook – chart of the day

This incredibly detailed map of Africa could help aid and development

Resolving banks with depositors’ money?

How the gig economy can transform farms in the developing world

Coronavirus: First case confirmed in Gulf region, more than 6,000 worldwide

Long live Eurozone’s bank supervisor down with the EU budget supremo

What is a CSO and does every company need one?

‘Young people care about peace’: UN Youth Envoy delivers key message to Security Council

The Bank of China at European Business Summit 2015

Sign language protects ‘linguistic identity and cultural diversity’ of all users, says UN chief

Afghanistan: Bring ‘architects’ of latest ‘appalling’ suicide bombing to justice, says deputy UN mission chief

Do the EU policies on agro-food smell?

The Chinese solar panels suddenly became too cheap for Europe

The US banks drive the developing world to a catastrophe

Statement by Executive Vice-President Margrethe Vestager on State aid measures to address the economic impact of COVID-19

‘Bicycle Kingdom’ makes a comeback, as China seeks solutions to tackle air pollution crisis

Using CO2 as an industrial feedstock could change the world. Here’s how

This new solar technology can be printed or woven into fabric

Tsipras bewildered with Berlin’s humiliating demands; ECB expects political sign to refinance the Greek banks

10 ways cities are tackling the global affordable housing crisis

UN ‘prioritizing needs’, ramping up aid, as Hurricane Dorian continues to batter the Bahamas

EU-wide survey shows Europeans support the Conference on the Future of Europe

Pedro Sánchez: We must protect Europe, so Europe can protect its citizens

4 ways to build resilience to digital risks in the COVID-19 era

Abu Dhabi is investing $250 million in tech start-ups

Countries must rethink tariffs on bio-manufacturing

Plastic is a global problem. It’s also a global opportunity

“Prevention is better than cure”: the main goal of modern medicine

EU food watchdog: more transparency, better risk prevention

Global climate change: consequences for human health in Brazilian cities

Mobile Technology saving lives: changing healthcare systems with simple technology solutions

UN agency chiefs condemn Saudi-coalition led air strike that killed dozens in western Yemen

The cost of healthcare is rising in ASEAN. How can nations get the most for their money?

Activist Greta Thunberg gets preview of UNHQ ahead of climate summit

No better year for the EU’s weak chain links

Here’s how to rebut the climate doom-mongers

Understanding our own garden that we call mind

Cameron postpones speech in Holland

Cultural Intelligence: the importance of changing perspectives

European Parliament approves more transparency and efficiency in its internal rules

Wolfgang Schäuble: “Without European unification, there would be no German unity”

Economy and living standards of Gaza ‘eviscerated’ by crippling blockade – UN trade and development report

Guinea-Bissau needs ‘genuinely free and fair elections’ to break cycle of instability

COVID-19: EU co-finances the delivery of more protective equipment to China

Portugal wants its emigrants back – so it’s paying them to return

Team Europe increased Official Development Assistance to €66.8 billion as the world’s leading donor in 2020

Livelihoods of millions in East and Southeast Asia at risk from Swine Fever epidemic

Humanity ‘at a crossroads’ as damage to planet poses growing risk to health, UN environment agency warns

The secret weapon in the fight for sustainability? The humble barcode

11 ways to align global economic governance with green new deal

Illegal fishing: EU lifts Taiwan’s yellow card following reforms

Technological innovation can bolster trust and security at international borders. Here’s how

Financing fossil fuels risks a repeat of the 2008 crash. Here’s why

Real EU unemployment rate at 10.2%+4.1%+4.7%: Eurostat Update

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s