The EU AI Act prohibits real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions), bans social scoring systems entirely, and restricts emotion recognition in workplaces and education, while GDPR provides the foundational framework for limiting AI-driven surveillance of individuals.
Surveillance Risk in AI: Mass Monitoring, Privacy Erosion, and Civil Liberties
AI and the Surveillance Spectrum
AI dramatically expands surveillance capabilities by enabling automated processing of video, audio, biometric, behavioral, and transactional data at scales impossible for human monitors. The EU regulatory framework addresses this through a combination of outright prohibitions (EU AI Act Article 5), high-risk classification with strict controls (Annex III), GDPR constraints on personal data processing, and sector-specific rules for workplace monitoring and law enforcement.
EU AI Act Surveillance Prohibitions
| Prohibited Practice | Article | Exceptions |
|---|---|---|
| Real-time remote biometric identification in public spaces for law enforcement | Article 5(1)(h) | Targeted search for victims, prevention of specific imminent threats, serious criminal offences (prior judicial authorisation required) |
| Social scoring by public authorities | Article 5(1)(c) | None |
| Social scoring by private entities leading to detrimental treatment | Article 5(1)(c) | None |
| Untargeted facial image scraping from internet/CCTV | Article 5(1)(e) | None |
| Emotion recognition in workplace and education (except safety/medical) | Article 5(1)(f) | Medical and safety purposes |
| Biometric categorisation inferring sensitive attributes (race, politics, religion) | Article 5(1)(g) | Law enforcement for labeling/filtering of lawfully acquired datasets |
Workplace Monitoring and AI
AI-powered workplace monitoring systems, including keystroke logging, screen capture analysis, productivity scoring, and emotion detection, raise significant surveillance concerns. The EU AI Act places emotion recognition in workplaces under the prohibited practices list (Article 5(1)(f)), except where safety or medical reasons apply. AI systems that monitor workers for performance management or task allocation are classified as high-risk under Annex III, point 4.
GDPR Article 88 and national implementing laws provide additional protections. Germany's Federal Data Protection Act (BDSG) Section 26 restricts employee data processing to what is necessary for the employment relationship. France's CNIL has issued guidance limiting continuous workplace monitoring. These national rules apply alongside the EU AI Act.
Biometric Systems: High-Risk Classification
AI systems used for biometric identification (other than the prohibited real-time remote identification in public spaces) are classified as high-risk under Annex III, point 1. This includes post-facto biometric identification for law enforcement, biometric verification systems, and emotion recognition systems permitted under the exceptions. High-risk classification triggers full Chapter III compliance: risk management, data governance, documentation, logging, transparency, human oversight, and accuracy/robustness requirements.
GDPR as the Surveillance Baseline
GDPR provides the foundational framework limiting AI surveillance. Key provisions include purpose limitation (Article 5(1)(b), preventing mission creep from legitimate monitoring to general surveillance), data minimisation (Article 5(1)(c), requiring that monitoring collect only data strictly necessary for the stated purpose), special category data protections (Article 9, requiring explicit consent or legal basis for processing biometric data), and Data Protection Impact Assessments (Article 35, mandatory for systematic monitoring of publicly accessible areas).
Law Enforcement and Intelligence
The Law Enforcement Directive (Directive 2016/680) applies to police and criminal justice AI processing. Predictive policing tools, risk assessment systems, and automated surveillance in the law enforcement context must comply with both the LED and EU AI Act provisions. The combination creates a stringent framework where AI systems used for individual risk assessment in law enforcement are high-risk (Annex III, point 6) and subject to specific safeguards including mandatory human oversight and prohibition of relying solely on automated assessments.
Practical Surveillance Risk Assessment
- Inventory all AI systems that process personal data about individuals' movements, behavior, communications, or biometric characteristics
- Assess each system against EU AI Act Article 5 prohibitions and Annex III classifications
- Conduct DPIAs under GDPR Article 35 for all systematic monitoring systems
- Verify that workplace monitoring systems comply with national employment data protection rules
- Implement data minimisation controls that prevent monitoring systems from collecting data beyond their stated purpose
- Establish retention limits that automatically delete surveillance data when no longer necessary
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.