What to know about the EU’s facial recognition regulation – and how to comply

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Sébastien Louradour, Fellow, Artifical Intelligence and Machine Learning, World Economic Forum


  • Facial Recognition Technology (FRT) is a central concern of the European Commission’s proposed AI regulation.
  • To successfully comply, tech providers will need to build tailored approaches to risk management and quality processes.
  • In partnership with industry, government and civil society, the World Economic Forum has developed an audit framework and certification scheme for tech providers.

The European Commission’s (EC) proposed Artificial Intelligence (AI) regulation – a much-awaited piece of legislation – is out. While this text must still go through consultations within the EU before its adoption, the proposal already provides a good sense of how the EU considers the development of AI within the years to come: by following a risk-based approach to regulation.

Among the identified risks, remote biometric systems, which include Facial Recognition Technology (FRT), are a central concern of the drafted proposal:

  • AI systems intended to be used for the ‘real-time’ and ‘post’ remote biometric identification of natural persons are considered a high-level risk system and would require an ex-ante evaluation of the technology provider to attest its compliance before getting access to the EU market, and an ex-post evaluation of the technology provider (detailed below).
  • In addition, “real-time” remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement are mostly prohibited unless they serve very limited exceptions related to public safety such as the targeted search of missing persons or the prevention of imminent terrorist threats (detailed in Chapter 2, Article 5, p.43-44). Additional requirements for this use-case would include an ex-ante evaluation to grant authorisation to law enforcement agencies, i.e. each individual use should be granted by a “judicial authority or by an independent administrative authority of the Member State”, unless it is operated in a “duly justified situation of urgency”. Finally, national laws could determine whether they fully or partially authorize the use of FRT for this specific use-case.

Other use-cases such as FRT for authentication processes are not part of the list of high-level risks and thus should require a lighter level of regulation.

Ex-ante and ex-post evaluations required by use-case in the EU's facial recognition regulation
Ex-ante and ex-post evaluations required by use-case

Ex-ante and ex-post evaluation of technology providers

The ex-ante evaluation (conformity assessment of providers) would include:

  • A review of the compliance with the requirements of Chapter 2;
  • An assessment of the quality management system, which includes the risk management procedures, and the post-market monitoring system; and,
  • The assessment of the technical documentation of the designated AI system.

Certifying the quality of the processes rather than the algorithm performance

While technology providers have to maintain the highest level of performance and accuracy of their systems, this necessary step isn’t the most critical to prevent harm. The EC doesn’t detail any threshold of accuracy to meet, but rather requires a robust and documented risk-mitigation process designed to prevent harm. The deployment of a quality-management system is an important step as it will require providers to design adequate internal processes and procedures for the active mitigation of potential risks.

A focus on risk management and processes

While it will be up to the technology providers to set up their own quality processes, third-party notified bodies will have the responsibility of attesting providers’ compliance with the new EU legislation.

To succeed, tech providers will need to build tailored approaches to design, implement and run these adequate processes. Providers will also have to work closely with the user of the system to anticipate potential risks and propose mitigation processes to prevent them.

How to anticipate the coming regulation

Over the past two years, the World Economic Forum has partnered with industry players, government agencies and civil society to draft a proposed policy framework for responsible limits on FRT.

Among our proposed oversight strategies, we have detailed a self-assessment questionnaire, a third-party audit and a certification scheme. The EU’s proposed concept of third-party audit (i.e. conformity assessment) suggests the same model of oversight and allows for rapid scale-up and deployment of certification bodies (i.e. notified bodies) to run the third-party audits across the EU.

The proposed conformity assessment procedure – which reviews the control of the compliance of the requirements stated in Title III of the proposed regulation – will first require notified bodies to draft dedicated audit frameworks and certification schemes. These two documents will be used to detail to audited organizations how the certification will play out.

In this regard, we encourage providers to consider the audit framework and certification scheme for the quality management system we’ve detailed in the white paper published in December 2020 in collaboration with the French accredited certification body AFNOR Certification.

Steps of the certification scheme detailed in the white paper - World Economic Forum, Responsible Limits on Facial Recognition Use Case: Flow Management, December 2020
Steps of the certification scheme detailed in the World Economic Forum white paper

Among the requirements of Title III, providers will need to put in place a risk management system focused on the analysis, anticipation and mitigation processes of potential risks. (We go over a similar structured approach in sections 2 and 3 of our audit framework to build the right risk assessment processes and prevent the occurrence of biases and discrimination.)

The post-market monitoring system defined in Article 61 is a mechanism to ensure that compliance with the requirements is met when the system is in operation. This critical point is defined in the audit framework we’ve designed. We’ve considered three stages of analysis when the third-party audit is carried out:

1. Ensuring the right design of the quality management processes to comply with the requirements;

2. Controlling correct implementation of the processes; and,

3. Validating that the system operates in accordance with the requirements.

Notified bodies will use certification schemes to conduct conformity assessments. These certification schemes will provide clarity and transparency to providers on how the assessment will be conducted. We have dedicated a chapter of our white paper (Part 4) to explain how to conduct certification of FRT systems, from the preparation phase to the certification phase and the issuance of certificate.

An additional way of preparing for a third-party audit is organizing an internal self-assessment prior to the audit. This activity will provide materials to attest if the system is audit-ready or requires further remediation. For the pilot phase of our policy project, we partnered with Narita Airport to draft and test a self-assessment questionnaire for the responsible use of FRT in airports. (The responses from Narita are publicly accessible in the appendix of our white paper.) AI, machine learning, technology

How is the Forum helping governments to responsibly adopt AI technology?

The World Economic Forum’s Centre for the Fourth Industrial Revolution, in partnership with the UK government, has developed guidelines for more ethical and efficient government procurement of artificial intelligence (AI) technology. Governments across Europe, Latin America and the Middle East are piloting these guidelines to improve their AI procurement processes.

Our guidelines not only serve as a handy reference tool for governments looking to adopt AI technology, but also set baseline standards for effective, responsible public procurement and deployment of AI – standards that can be eventually adopted by industries.

We invite organizations that are interested in the future of AI and machine learning to get involved in this initiative. Read more about our impact.

While the certification scheme and the audit framework we have detailed will have to evolve to comply with this legislation, they already provide good examples to follow.

When it comes to the use of FRT for identification purposes, maximum precaution should be taken. The proposed EU legislation is, in this sense, ambitious – and will help build trust and transparency among EU citizens and allow for the benefits of this technology to be safely deployed.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

FROM THE FIELD: India’s plastic waste revolution

Integration of migrants: Commission launches a public consultation and call for an expert group on the views of migrants

Human rights: breaches in Russia, the Rakhine State and Bahrain

How upskilling could help cities rebuild after Coronavirus

EntEx Organises 5 Summer Schools for Young Entrepreneurs across Europe in June/July 2014

The female struggle in the face of medical devaluation

‘The welfare of the Libyan people’ the UN’s sole agenda for the country, says Guterres in Tripoli

Dare to be vulnerable, and three other lessons in leadership

How businesses can create an ethical culture in the age of tech

The challenge to be a good healthcare professional

Act now to prevent Desert Locust catastrophe in Horn of Africa: UN agencies

The most unlikely innovators are changing ICT for development – it’s time we took notice

What is environmental racism?

Climate change: cutting the good by the root?

Guterres condemns killing of Bangladeshi peacekeeper in South Sudan, during armed attack on UN convoy

Venezuela’s needs ‘significant and growing’ UN humanitarian chief warns Security Council, as ‘unparalleled’ exodus continues

More than speed: 5G could become the next big economic driver

Asylum: more solidarity among EU member states and funds for frontline countries

European Commission requests that Italy presents a revised draft budgetary plan for 2019

Greener tourism: Greater collaboration needed to tackle rising emissions

Juncker’s Investment Plan in desperate need for trust and funds from public and private investors

Europe, US and Russia haggle over Ukraine’s convulsing body; Russians and Americans press on for an all out civil war

The “Colombo Declaration” adopted at the World Conference on Youth 2014

IMF: World cup and productivity

Cameron postpones speech in Holland

‘Great cause of concern’ UN chief tells Security Council, surveying ‘bleak’ state of civilian protection

1.1 billion people still lack electricity. This could be the solution

5 leadership lessons I learned from doing my own ‘undercover boss’

If we want to solve climate change, water governance is our blueprint

The World Health Organization has called on countries to ‘test, test, test’ for coronavirus – this is why

EU budget: Commission helps prepare new Cohesion programmes with Regional Competitiveness Index and Eurobarometer

Catalonia secessionist leader takes Flemish ‘cover’; Spain risks more jingoist violence

Marriage equality boosted employment of both partners in US gay and lesbian couples

Europe had a record year for Measles – and it’s partly down to anti-vaccine campaigners

From Policy to Reality: Discrepancies in Universal Health Care Systems across the EU

AI looks set to disrupt the established world order. Here’s how

Early healthcare investment is our best chance at healthy ageing

The EU sides with China against the US; but has Germany capitulated to America?

Preserving biodiversity vital to reverse tide of climate change, UN stresses on International Day

Educate children in their mother tongue, urges UN rights expert

Russia and the West to partition Ukraine?

GDPR and the World Cup have these 4 things in common

Your chocolate can help save the planet. Here’s how

ECB embarks on the risky trip to Eurozone banking universe

New rules to help consumers join forces to seek compensation

Thinking like Leonardo da Vinci will help children tackle climate change

Parliament approves EU rules requiring life-saving technologies in vehicles

World Bank downgrades global growth forecasts, poorest countries hardest hit

What we need is more (and better) multilateralism, not less

International Women’s Day 2019: more equality, but change is too slow

How to fix our planet: the pioneers fighting to bring nature back

How China Mended My Heart

Children are forgetting the names for plants and animals

Labels for tyres: deal for greener and safer road transport

Commission presents its response to Antisemitism and a survey showing Antisemitism is on the rise in the EU

The Ecofin deceives the SMEs with the EIB €10bn capital increase

Consumers suffer three defeats

Sexual exploitation and abuse: latest UN quarterly update

The economic effects of the COVID-19 coronavirus around the world

New VAT rules in the EU: how a digital sea could have become an ocean

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s