AI Facial Recognition Compliance Guide: Navigating GDPR and EU AI Act for Surveillance Systems

Introduction: The Regulatory Tightrope of AI Surveillance

AI-powered surveillance technologies, particularly facial recognition, offer businesses unprecedented capabilities in security, authentication, and customer experience. However, these systems process highly sensitive biometric data under intense regulatory scrutiny. Recent incidents involving Ryanair's facial recognition for OTA bookings and Siri's alleged unauthorized recording highlight significant compliance gaps that can result in massive fines and reputational damage.

This guide provides a step-by-step framework for implementing AI surveillance systems that comply with both existing GDPR requirements and the forthcoming obligations under the EU AI Act. By understanding how these regulations intersect—particularly regarding biometric data classification, consent requirements, and governance obligations—organizations can deploy these powerful technologies responsibly while mitigating legal and ethical risks.

Prerequisites: Understanding the Regulatory Landscape

Before implementing any AI surveillance system, organizations must understand three key regulatory frameworks:

• GDPR (General Data Protection Regulation): In effect since 25 May 2018, GDPR classifies biometric data as a special category of personal data under Article 9, requiring enhanced protections. The regulation establishes strict requirements for lawful processing, including explicit consent, data minimization, and purpose limitation.
• EU AI Act: Regulation (EU) 2024/1689 entered into force on 1 August 2024. AI systems for biometric identification and categorization are classified as high-risk under Annex III (area 1). Obligations for high-risk AI systems apply from 2 August 2026, with penalties reaching up to EUR 35 million or 7% of global annual turnover for prohibited practices.
• National Laws: Member states may have additional requirements through national competent authorities designated under both regulations.

Organizations should verify current timelines as regulatory landscapes evolve, particularly for the EU AI Act's phased implementation.

Step 1: Conduct a Double Materiality Assessment

Begin with a comprehensive assessment that evaluates both regulatory compliance risks and ethical impacts. For AI surveillance systems, this involves:

• Data Protection Impact Assessment (DPIA): Required under GDPR Article 35 for processing likely to result in high risk to individuals' rights and freedoms. For biometric systems, DPIAs are mandatory and must document the necessity and proportionality of processing, risks to data subjects, and mitigation measures.
• AI Risk Assessment: Following the NIST AI Risk Management Framework's four core functions (Govern, Map, Measure, Manage), identify specific risks related to accuracy, bias, security, and societal impact. The EU AI Act requires risk management systems for high-risk AI.
• Documentation: Maintain detailed records of assessments, decisions, and rationales as required by both GDPR (Article 30) and the EU AI Act (Article 11).

Step 2: Establish Lawful Basis and Obtain Explicit Consent

Under GDPR, processing biometric data requires both a lawful basis under Article 6 and an exception under Article 9. For most surveillance applications:

• Explicit Consent: Often the most appropriate lawful basis, requiring clear, specific, informed, and unambiguous opt-in. Pre-ticked boxes or default-enabled features violate this requirement, as demonstrated in the Mozilla PPA complaint where tracking was enabled by default without proper disclosure.
• Legitimate Interests: Rarely sufficient for biometric data, especially following CJEU rulings that restrict its use for tracking. The Pinterest case shows the dangers of relying on 'legitimate interest' for processing without consent.
• Consent Design: Implement granular consent mechanisms that separate surveillance consent from other terms. Provide clear information about data usage, retention periods, and third-party sharing, addressing the transparency failures seen in the Ryanair case where facial recognition was implemented with questionable justification.

Step 3: Implement Technical and Organizational Measures

Both GDPR and the EU AI Act require appropriate security measures and governance structures:

• Data Protection by Design and Default: Integrate privacy protections into system architecture from the outset. This includes data minimization (collect only necessary biometric data), pseudonymization where possible, and strict access controls.
• Accuracy and Bias Mitigation: High-risk AI systems under the EU AI Act must meet strict accuracy, robustness, and cybersecurity requirements. Implement regular testing, validation, and bias detection mechanisms. Consider tools like Arthur AI for continuous model monitoring.
• Vendor Management: If using third-party AI solutions, ensure vendors comply with both regulations through contractual obligations, audits, and transparency about their compliance status. The Ryanair case involved outsourcing to GetID, highlighting the importance of vendor due diligence.

Step 4: Ensure Continuous Monitoring and Compliance

Compliance is not a one-time event but an ongoing process:

• Regular Audits: Conduct periodic assessments of system performance, data processing activities, and regulatory changes. The EU AI Act requires post-market monitoring for high-risk systems.
• Incident Response: Establish procedures for detecting, reporting, and addressing data breaches and AI system failures. GDPR requires notification within 72 hours of becoming aware of a breach.
• Documentation Updates: Maintain current technical documentation, including system descriptions, risk assessments, and conformity assessments as required by the EU AI Act.

Step 5: Prepare for Regulatory Engagement

Proactively engage with regulatory requirements:

• Registration: Some high-risk AI systems may require registration in EU databases as specified by the EU AI Act.
• Cooperation with Authorities: Designate points of contact for data protection authorities and the EU AI Office. The Siri case demonstrates the risks of regulatory inaction when complaints are filed.
• Transparency to Individuals: Provide clear information about AI decision-making as required by GDPR Article 22 and the EU AI Act's transparency obligations.

Case Studies: Lessons from Recent Violations

Ryanair's Facial Recognition for OTA Bookings

Ryanair implemented facial recognition verification for customers booking through online travel agents, allegedly to verify contact details despite already possessing this information. The complaint filed with Spain's AEPD highlights multiple GDPR violations: lack of valid consent due to insufficient information, questionable purpose limitation, and potential data minimization issues. With possible fines up to €192 million based on turnover, this case underscores the financial risks of implementing biometric systems without clear lawful basis and transparency. The alleged anti-competitive motive—nudging customers to direct bookings—further complicates compliance justification.

Siri's Unauthorized Recording Practices

Apple's Siri allegedly recorded users without knowledge or consent, even when not triggered by voice commands. According to complaints, thousands of recordings containing intimate personal details were collected and analyzed by employees, violating GDPR's consent requirements and ePrivacy legislation. Despite Apple's 2019 apology, continued allegations suggest systemic compliance failures. The case highlights the importance of: (1) ensuring AI systems only activate under explicit user commands, (2) implementing robust access controls for sensitive data, and (3) responding promptly to regulatory concerns rather than waiting for enforcement action.

Common Themes

Both cases demonstrate how companies often prioritize technological capabilities over compliance fundamentals: inadequate consent mechanisms, unclear purpose limitations, and insufficient transparency. As biometric surveillance becomes more prevalent, regulators are increasingly scrutinizing these practices with substantial penalties.

Practical Tools and Solutions for Implementation

Organizations can leverage several tools to streamline compliance:

• AI Governance Platforms: Solutions like Holistic AI provide comprehensive risk management frameworks aligned with the EU AI Act and GDPR requirements.
• Compliance Tracking: Platforms like AIGovHub offer integrated tracking for cross-domain compliance, helping organizations monitor evolving requirements across AI governance, data privacy, and related regulations.
• Technical Solutions: Privacy-enhancing technologies (PETs) such as federated learning, homomorphic encryption, and differential privacy can help minimize data exposure while maintaining system functionality.

For more guidance on implementing AI governance frameworks, see our EU AI Act compliance roadmap.

Common Pitfalls to Avoid

• Assuming Legacy Systems Are Compliant: Existing surveillance systems may not meet new EU AI Act requirements for high-risk AI. Conduct gap assessments early.
• Over-reliance on Legitimate Interests: As seen in the Pinterest case, this basis is increasingly scrutinized for sensitive data processing. Prioritize explicit consent.
• Neglecting Vendor Compliance Third-party AI providers must demonstrate their own compliance. Include specific contractual obligations and audit rights.
• Underestimating Documentation Requirements: Both GDPR and the EU AI Act require extensive documentation. Implement systems to maintain and update records continuously.

Frequently Asked Questions

When do EU AI Act requirements for biometric surveillance systems take effect?

Obligations for high-risk AI systems, including those for biometric identification and categorization, apply from 2 August 2026. However, prohibited AI practices and AI literacy obligations apply from 2 February 2025, and governance rules for general-purpose AI models apply from 2 August 2025. Organizations should verify current timelines as implementation progresses.

Can we use facial recognition for employee monitoring?

AI systems used in employment contexts are classified as high-risk under the EU AI Act Annex III (area 4). This requires strict compliance with both the AI Act and GDPR, including explicit consent (which may be problematic in employer-employee relationships), DPIAs, and enhanced transparency. Additional national laws may impose further restrictions.

How does GDPR's biometric data protection interact with the EU AI Act?

GDPR establishes the baseline for lawful processing of biometric data, requiring explicit consent or other Article 9 exceptions, data minimization, and security measures. The EU AI Act adds specific requirements for high-risk AI systems, including risk management, accuracy standards, human oversight, and conformity assessments. Organizations must comply with both frameworks simultaneously.

What penalties apply for non-compliance?

GDPR penalties reach up to EUR 20 million or 4% of global annual turnover. The EU AI Act imposes penalties up to EUR 35 million or 7% of global annual turnover for prohibited practices, and EUR 15 million or 3% for other violations. Regulatory authorities may impose both sets of penalties for overlapping violations.

Conclusion and Next Steps

Implementing AI-powered surveillance systems requires careful navigation of complex regulatory requirements. By following this step-by-step guide—conducting thorough assessments, establishing lawful processing bases, implementing robust technical measures, and maintaining continuous compliance—organizations can harness the benefits of these technologies while mitigating significant risks.

As regulations evolve, staying informed is crucial. Platforms like AIGovHub provide integrated tracking of AI governance, data privacy, and related compliance requirements across jurisdictions. For organizations beginning their compliance journey, start with a comprehensive gap assessment against both GDPR and the forthcoming EU AI Act obligations, prioritizing high-risk systems like facial recognition.

This content is for informational purposes only and does not constitute legal advice. Some links in this article are affiliate links. See our disclosure policy.