Czasopisma logo

Prawo Nowych Technologii

no. 4/2024

The risk of collision between the AI Act and GDPR within AI systems used for emotion recognition of natural persons based on biometric data

DOI: 10.32027/PNT.24.4.4
Mariusz Krzysztofek
Autor jest Privacy Director EMEA i DPO w Herbalife, wykładowcą w dziedzinie ochrony danych osobowych i AI m.in. na Uniwersytecie Jagiellońskim, University of Southern California Law School (Los Angeles), Tongji University Law School (Szanghaj), Szkole Głównej Handlowej w Warszawie
Abstract

The subject of the article is the risk of collision of the AI Act and GDPR regarding one aspect: processing of biometric data in order to recognize emotions. Inference regarding emotions appears in “systems of emotion recognition”, which are AI systems, based on biometric data. Since the “system of emotion recognition” is used for drawing conclusions on emotions of natural persons based on biometric data of those persons, then it uses the mechanism of profiling. Therefore, one should analyse the rules of processing of biometric data in both acts, and also profiling. Special attention should be paid to the issue of sensitive nature of biometric data which is the basis of inference regarding emotions (or rather sensitive from the point of view of many people and the opinion of the European Parliament but not in the definition itself, or to be more precise - according to the definition of sensitive when such biometric data explicitly identifies a natural person).
The AI Act forbids AI systems used for drawing conclusions on emotions of natural persons in a workplace or educational institutions, except for medical or security purposes. However, outside a workplace and educational institutions, it is not considered as an unacceptable risk or a forbidden practice within AI. AI systems using biometrics while recognizing emotions are, however, high risk systems, and with that level of risk there are certain obligations but no prohibition of their use.
There is a fundamental inconsistency in the fact that Article 9 of GDPR considers political and world views, religious beliefs and trade union membership as sensitive data whereas emotions identified or concluded based on biometric data - as long as the data does not explicitly identify a person - is ordinary data. Identifying emotions based on biometric data significantly infringes upon the sphere of privacy. Biometric data, being the basis for emotion inference, simultaneously becomes sensitive data only when, according to Article 3(37) on the definition of the Act regarding artificial intelligence, which refers to the definition of sensitive data in Article 9(1) of GDPR, it is explicitly used to identify a natural person.

Keywords
AI Act, AI, artificial intelligence