Biometrics and the AI Act: what changes for the security and privacy of biometric data

The European Union’s AI Act and the eIDAS 2.0 regulation have stepped in to regulate the use of biometric data, with the aim of ensuring that the adoption of these technologies takes place in a responsible and secure manner.

Artificial Intelligence (AI) and biometrics are evolving rapidly, with applications that are transforming sectors such as security, banking, and healthcare. However, the use of these technologies, particularly for facial recognition and other forms of biometric identification, raises important questions regarding privacy and security.

Discover how Intesa’s solutions offer secure, compliant, and private digital identification through its digital onboarding system and the Intesa ID platform.

In questo articolo scoprirai:

What is the AI Act and how does it apply to biometrics?

The AI Act, approved in March 2024, is the world’s first regulation to govern artificial intelligence, dividing AI applications based on the risk they represent. In particular, biometrics and facial recognition are high-risk applications that require rigorous oversight and specific regulations.

Unacceptable risk:

Remote facial recognition in public spaces, used for surveillance of individuals by law enforcement, is prohibited.
High risk:

Applications such as the use of biometrics to access banking services or to manage administrative procedures are considered high risk. For these applications, the AI Act mandates preliminary audits to ensure compliance with security and privacy regulations.
Limited risk:

This applies to technologies that require clear information to be provided to users, such as chatbots that use AI, which must explicitly inform the user that they are interacting with an automated system.
Minimal risk:

These applications are already widespread and include tools such as spam filters and smart video games.

The role of eIDAS 2.0 in regulating biometrics

The eIDAS 2.0 Regulation establishes the rules for Qualified Electronic Signatures (QES) and authentication, including video identification solutions and the use of digital identities. The new version of eIDAS is changing the landscape of digital identification, enabling the use of secure biometric-digital solutions that comply with European Union regulations.

eIDAS 2.0 provides that digital identity wallets can collect biometric data securely without compromising user privacy. Thanks to advanced encryption, digital identities can be used to authenticate to public and private services across Europe, ensuring the security of sensitive data.

Privacy protection and security of biometric data under the AI Act

The processing of biometric data, such as fingerprints, facial recognition, and iris scans, must comply with the principles of privacy by design and privacy by default. The AI Act establishes that the use of biometric technologies must be reduced to the minimum necessary and ensure that data is processed securely and transparently.

Role of the GDPR in protecting biometric data:

The General Data Protection Regulation (GDPR) is the primary legislative tool protecting biometric data. In compliance with the GDPR, biometric data must be treated as sensitive data, and its use must be strictly limited to specific purposes.

Compliance and responsibility: who is responsible for processing biometric data?

While the AI provider is primarily responsible for processing biometric data, other figures, such as distributors, importers, and end users, are responsible for regulatory compliance, depending on their interaction with the biometric data. Every actor in the ecosystem must ensure that data is handled with the utmost attention to privacy and security.

Specifically, the data controller must ensure that the implemented technological solutions are capable of guaranteeing an adequate level of protection against potential abuse. For the implementation of video identification and biometric authentication solutions, it is essential to rely on solutions that comply with eIDAS and other security regulations.

The importance of balancing innovation and the protection of rights

The adoption of biometric technologies and AI must take place with the right balance between innovation and the protection of fundamental rights. Regulations like the AI Act and eIDAS 2.0 are crucial to ensuring that these technologies are implemented safely, respecting user rights and preventing potential abuse.

In an increasingly digital future, the adoption of advanced technologies such as facial recognition or video identification solutions will require clear regulation to protect user privacy. The combination of the AI Act and eIDAS 2.0 will help guide the responsible and secure use of biometrics and artificial intelligence in Europe.

Conclusion

Technological progress brings significant challenges for the privacy and security of biometric data. With the introduction of the AI Act and eIDAS 2.0, the European Union is establishing a regulatory framework that balances innovation with the protection of fundamental rights, ensuring that technologies like biometrics are used in a secure, transparent manner that respects user rights.

For companies and institutions, it is fundamental to stay up-to-date on these regulations and adopt compliant solutions to guarantee not only data security, but also user trust.

Explore how Intesa solutions, such as Intesa Sign and Intesa ID, can support you in ensuring the secure and compliant management of biometric data.

FAQ – Frequently Asked Questions

What is the AI Act and how does it affect biometrics?

The AI Act (Artificial Intelligence Act) is a European Union regulation that establishes rules and requirements for the safe and responsible use of artificial intelligence (AI) in Europe. In particular, the AI Act regulates the use of biometric applications such as facial recognition and other forms of biometric identification, ensuring that high standards of privacy and security are respected.

When does the AI Act enter into force?

The AI Act officially entered into force on August 1, 2024. Although the regulation is already active, its requirements are being introduced gradually through a staggered timeline, giving businesses until August 2, 2026, for the main rules to apply. This transition period allows organizations to implement new monitoring systems, ensure compliance, and adapt to the safety and transparency requirements imposed by the AI Act

What does the AI Act require from Generative AI developers?

The AI Act regulation provides specific measures for generative AI developers, such as those powering deepfake applications and automated digital content creation. These systems are classified as “high risk” and, therefore, developers will have to comply with rigorous obligations. Transparency obligations will be required, including the obligation to provide information on how the models are trained and on the data used. Furthermore, it is necessary to implement security measures to prevent misuse, such as the generation of deceptive content. This type of AI must be registered in specific public databases, ensuring traceability and accountability.

Which AI systems are excluded from the AI Act regulation?

The AI Act establishes exemptions for certain AI systems. In particular, low-risk AI systems that do not pose significant risks to safety or fundamental rights are excluded. Some examples include spam filtering applications, AI-enabled video games, and automated inventory management. These applications are not subject to strict transparency or oversight requirements, while continuing to be regulated by general privacy and security laws.

What are the privacy implications of using biometrics?

The use of biometric data, such as fingerprints and facial recognition, is subject to stringent privacy regulations, such as the GDPR. These regulations ensure that data is processed with the highest level of protection, limiting the collection and use of biometric data solely to specific and legitimate purposes.

What is eIDAS 2.0 and what changes for the use of biometric data?

The eIDAS 2.0 Regulation introduces new measures for managing digital identities in Europe, providing a regulatory framework that includes the secure management of biometric data, such as facial and iris recognition. This regulation allows EU citizens to use a “Digital Identity Wallet” to securely manage their personal information, including biometric data. Privacy and data protection are at the heart of this regulation, ensuring that biometric data is used only in a safe and secure manner, maintaining a balance between innovation and the protection of human rights.

What is the difference between biometrics and other identification methods?

Biometrics is based on an individual’s unique physical characteristics, such as fingerprints or facial recognition, while other identification methods, such as passwords, rely on knowledge or codes that can be stolen. Biometrics offers a higher level of security, as physical characteristics are difficult to duplicate or manipulate.

Is biometrics secure?

When implemented correctly, biometrics is one of the most secure forms of digital identification. However, security depends on the protection of the collected data, compliance with regulations such as the GDPR, and the correct implementation of the technology.

What is a Qualified Electronic Signature (QES) and how does it link to biometrics?

The Qualified Electronic Signature (QES) is the most secure form of digital signature, legally equivalent to a handwritten signature. In some cases, biometrics can be used to authenticate a user during the electronic signing process, ensuring that the signature is authentic and the identity of the signatory is securely verified.

The AI Act, the use of biometrics, and qualified electronic signature solutions are all parts of a European regulatory framework that ensures security, privacy, and human control in digital transactions. Regulations such as eIDAS 2.0 and the AI Act establish clear guidelines for the safe use of these technologies in various fields, from legal to healthcare, all the way to banking and public services.

Intesa, as a Trust Service Provider and leader in the electronic signature and digital identity sector, offers advanced and secure solutions that guarantee compliance with these regulations. Discover how Intesa Sign can support you in digital onboarding and qualified electronic signatures with our in-depth link on Intesa Sign.

The adoption of biometric technologies is the future of digital authentication. With continuous innovation and the introduction of solutions such as digital onboarding and the digital biometric wallet, Intesa is ready to support companies and users toward a secure and compliant digital future.

If you want to learn more or implement biometric solutions in your company, contact us!

Discover the solutions for your company’s digital transformation: