AI Office Enforcement
The AI Office's specific enforcement and corrective powers warrant a dedicated topic distinct from general market surveillance coordination.
enforcement authority corrective powers intervention authority suspension powers ban authority penalty authority enforcement mechanisms corrective action authority
Overview
Legal Framework
Recitals 34 and 35 of the AI Act establish the foundational principles governing the use of high-risk AI systems for law enforcement purposes, particularly remote biometric identification. Recital 34 mandates that such use must be responsible and proportionate, requiring an assessment of the specific situation, the consequences for rights and freedoms, and the implemented safeguards. Recital 35 specifies that each use of 'real-time' remote biometric identification in publicly accessible spaces for law enforcement requires prior express authorization from a judicial or independent administrative authority, with exceptions only for duly justified situations of urgency.
Practical Application
These recitals frame the AI Office's enforcement mandate by defining the narrow, conditional circumstances under which high-risk law enforcement AI can be deployed. The requirement for prior authorization creates a direct supervisory checkpoint. The reference in Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems to the power of supervisory authorities to check compliance with EU rules analogously supports the AI Office's role in monitoring adherence to these strict conditions. In practice, the AI Office will scrutinize whether national authorities have correctly applied the proportionality test and granted authorizations only within the exhaustively listed situations, ensuring the safeguards are operational.
Key Considerations
- Proportionality Documentation: Organizations deploying such systems must maintain robust documentation demonstrating how the specific use was assessed as necessary and proportionate, including the evaluation of consequences for fundamental rights.
- Authorization Protocol: Establish clear internal protocols for securing the required prior authorization from the competent national authority, including defined procedures for handling urgent exceptions to the prior authorization rule.
Laws (6)
Case Law (1)
Guidance (16)
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 06/2022 on the practical implementation of amicable settlements
Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Versiegeschiedenis
guidelines meldplicht datalekken
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Versiegeschiedenis
Richtsnoeren 01/2021
Guidelines 02/2024 on Article 48 GDPR
Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Guidelines 01/2021
Guidelines on Examples regarding Personal Data Breach Notification
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.