Knowledge Base
Back
conceptUpdated Apr 18, 2026

Real-Time Remote Biometric Identification

prohibited-practicesbiometricslaw-enforcement
Jurisdiction
EU
Effective
2024-08-01

Under Article 3(42) of the eu-ai-act-regulation-2024-1689, a real-time remote biometric identification system means "a remote biometric identification system, whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, comprising not only instant identification, but also limited short delays in order to avoid circumvention."

General Prohibition

Article 5(1)(h) prohibits the use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes, except in strictly limited circumstances.

Narrow Exceptions

Use is permitted only for:

  1. Victim Search: Targeted search for specific victims of:

    • Abduction
    • Trafficking in human beings
    • Sexual exploitation
    • Missing persons

  2. Imminent Threats: Prevention of:

    • Specific, substantial and imminent threat to life or physical safety
    • Genuine and present or foreseeable terrorist attack

  3. Serious Crime: Localization or identification of suspects for criminal offenses:

    • Listed in Annex II
    • Punishable by custodial sentence of at least 4 years maximum
    • For criminal investigation, prosecution, or penalty execution

Strict Conditions (Article 5(2))

  • Use only to confirm identity of specifically targeted individuals
  • Consider nature, seriousness, probability and scale of harm
  • Consider consequences for rights and freedoms
  • Comply with necessary and proportionate safeguards
  • Respect temporal, geographic and personal limitations
  • Complete fundamental rights impact assessment
  • Register system in EU database

Authorization Requirements (Article 5(3))

  • Prior authorization from judicial authority or independent administrative authority
  • Emergency use permitted with authorization requested within 24 hours
  • Immediate cessation if authorization rejected
  • Data deletion required if authorization rejected
  • No automated decisions - human verification required

Member State Implementation

Member States may choose whether to allow such systems and must:

  • Establish detailed national rules
  • Specify applicable objectives and criminal offenses
  • Notify rules to Commission within 30 days
  • May introduce more restrictive laws

Reporting and Oversight

  • Notification to market surveillance and data protection authorities
  • Annual reports to Commission
  • Commission publishes aggregated annual reports
Neighborhood