EU AI Act and Biometric AI: Facial Recognition, Emotion Detection, and What's Banned

Biometric AI sits at the sharpest edge of the EU AI Act. Some uses are outright prohibited — banned entirely, with no compliance pathway. Others are classified as high-risk with the most demanding obligations in the entire regulation. No other category of AI faces this level of regulatory scrutiny.

Prohibited biometric AI

Article 5 of the EU AI Act prohibits the following biometric AI practices. These are banned completely — no conformity assessment, no compliance pathway, no exemptions for most use cases:

• Real-time remote biometric identification in public spaces for law enforcement. Using facial recognition cameras in public areas to identify people in real time is prohibited for police and law enforcement, with only three very narrow exceptions (imminent terrorist threat, search for kidnapping/trafficking victims, serious crime suspects) that each require prior judicial authorization.
• Biometric categorisation using sensitive attributes. AI systems that categorise individuals based on biometric data to infer race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation are prohibited. Period. This applies to all sectors — not just law enforcement.
• Untargeted scraping of facial images. Building facial recognition databases by scraping images from the internet or CCTV footage without consent is prohibited. This directly targets practices like those of Clearview AI.
• Emotion recognition in workplaces and schools. AI systems that detect emotions in employees or students are banned in workplaces and educational settings, except for medical or safety purposes (e.g., detecting drowsiness in a driver).

High-risk biometric AI

Biometric AI that is not outright prohibited is generally classified as high-risk under Annex III. This includes:

• Remote biometric identification (non-real-time). Post-event facial recognition — identifying people from recorded footage after the fact — is high-risk, not prohibited. It requires full high-risk compliance including conformity assessment by a notified body.
• Biometric verification (1:1 matching). Systems that verify a person is who they claim to be (fingerprint unlock, face ID for login) are typically high-risk when used for access to essential services or law enforcement.
• Biometric categorisation (non-sensitive attributes). AI that uses biometrics to categorise people by age, gender, or other non-sensitive attributes is high-risk (not prohibited), provided it does not infer the prohibited sensitive categories listed above.

High-risk biometric AI has an additional requirement: the conformity assessment must involve a third-party notified body. Unlike most high-risk AI systems which can self-assess, biometric AI cannot — independent assessment is mandatory.

Emotion recognition rules

Emotion recognition deserves special attention because the rules are nuanced:

• Workplaces: Prohibited. You cannot use AI to detect emotions, moods, or affective states of employees in workplace settings. This covers call centre sentiment analysis, meeting engagement monitoring, and similar tools.
• Education: Prohibited. Emotion recognition of students in educational settings is banned. Proctoring tools that detect stress or attention level are included.
• Medical: Allowed (high-risk). Emotion recognition for medical or safety purposes is permitted but classified as high-risk. Examples: detecting pain in patients who cannot communicate, detecting drowsiness in professional drivers.
• Other contexts: Transparency required. Emotion recognition in other contexts (customer service, entertainment) requires disclosure to the user that emotion recognition is being used. The person must be informed before the system operates.

The narrow exceptions

The exceptions to the real-time biometric identification ban are extremely narrow and apply only to law enforcement:

• Targeted search for specific victims of kidnapping, trafficking, or sexual exploitation
• Prevention of a specific, substantial, and imminent threat to life or a foreseeable terrorist attack
• Identification of suspects of serious criminal offences (as defined in an EU framework decision)

Each use requires prior judicial authorization (or administrative authorization with judicial review within 24 hours in urgent cases). The use must be limited in time, geographic scope, and the number of people affected. Member States must notify the EU AI Office of their use.

For commercial applications, these exceptions are irrelevant — they apply only to law enforcement authorities. Private companies cannot use real-time biometric identification in public spaces under any circumstances.

What to do if you use biometric AI

• Audit immediately. Determine whether any of your AI features involve biometric data processing. This includes facial recognition, voice recognition, fingerprint analysis, gait analysis, and any inference from physical or physiological characteristics.
• Check against prohibited list. If your system does any of the prohibited activities, you must withdraw it from the EU market. There is no grace period — these prohibitions are already in force.
• Classify remaining systems. For biometric AI that is not prohibited, use the free classifier to determine your risk classification and obligations.
• Plan for notified body assessment. High-risk biometric AI requires third-party conformity assessment. This takes time — start identifying notified bodies and understanding their processes now.
• Implement transparency disclosures. All biometric AI systems that are not prohibited require clear disclosure to affected persons. By the transparency deadline (73 days away), you must inform users when biometric AI is being used on them.