Facial Recognition and European Law: What Really Changes for Businesses and Creatives.

Written by Gianpaolo Todisco

Gianpaolo Todisco - Partner

Facial recognition has become part of our daily lives almost without us noticing. We unlock our smartphones with our faces, enter some airports through biometric gates, and attend events where smart cameras analyze foot traffic and attendance. In retail and experiential communication, facial analysis systems promise to “read” emotions, personalize content, and improve interaction with the brand.

But when technology recognizes a face, it isn’t simply “looking”; it is processing biometric data. And in Europe, this radically changes the legal framework.

With the adoption of the AI Act, the European Union has made a clear choice: biometrics is a high-risk area and must be strictly regulated. This is complemented by the well-established framework of the General Data Protection Regulation, which classifies biometric data as “special categories” deserving of enhanced protection.

For businesses, brands, creative agencies, and cultural organizations, this is not a theoretical issue. It is a practical one. And a strategic one.

Many companies view facial recognition as an innovative tool: automated VIP access, exclusive events, immersive retail, and advanced profiling. In some cases, these solutions are integrated into security systems; in others, they serve as advanced marketing tools.

The point is that, legally speaking, we are not talking about mere software, but about a system that processes information capable of uniquely identifying a natural person.

In fact, the GDPR classifies biometric data used for identification as “sensitive” data. This means that processing such data is prohibited, except in very limited circumstances. Consent, for example, must be genuinely free, specific, and informed. And in a public or commercial context, the freedom of consent is often questionable.

The AI Act adds another layer: it classifies remote biometric identification systems as either prohibited (in some cases) or “high-risk” (in most applications). And a high-risk system entails structural requirements: documented risk management, human oversight, rigorous data governance, traceability, technical controls, and CE marking.

This is no longer just an IT issue. It’s about corporate governance.

In the creative world, the theme takes on an additional dimension.

Consider audiovisual production, photography, and global advertising campaigns. Today, there are systems that can automatically recognize faces in content, cross-reference them with databases, and analyze emotional reactions while viewers watch a commercial.

Or let’s consider the issue of datasets: images posted online, artistic photographs, and editorial content that are “scraped” and used to train facial recognition systems or artificial intelligence models.

At least four levels of protection are intertwined here:

  • protection of personal data,

  • right to one's own image,

  • copyright,

  • contractual liability.

A photographer might find their work used without authorization for biometric purposes. A brand could become embroiled in a dispute for using facial recognition technology at an event without providing adequate notice. A platform could be held accountable for the use of opaque biometric databases.

Technology is advancing rapidly. Legal risks are multiplying.

The penalties are significant: the GDPR allows for fines of up to 4% of annual global revenue, while the AI Act can impose fines of up to 7% in the most serious cases. For multinational luxury or entertainment groups, the economic impact can be substantial.

However, in the creative sector, the damage to a brand’s reputation can be even more severe. Consumers are increasingly sensitive to issues such as privacy, digital ethics, and the responsible use of AI. A brand perceived as intrusive or lacking transparency risks undermining its value proposition.

And today, brand value is, above all, about trust. That doesn’t mean facial recognition should be ruled out entirely. It means it must be evaluated rigorously.

Serves:

  • a preliminary audit of the systems in place;

  • a thorough data protection impact assessment (DPIA);

  • a clear allocation of roles and responsibilities among the data controller, the data processor, and the AI provider;

  • specific contractual provisions;

  • a genuine assessment of the proportionality between the intended purpose and the intrusiveness of the measure.

Above all, we need to make an informed decision: does the technology align with the brand’s positioning? Is it necessary, or is it simply “eye-catching”?

Europe has chosen a regulatory model that prioritizes the protection of fundamental rights over technological deregulation. This choice has a profound impact on how companies can innovate.

For businesses and creatives, facial recognition is not just a technological opportunity: it is a test of their legal maturity and cultural responsibility.

In the new digital ecosystem, innovation cannot be separated from compliance. And compliance, when managed effectively, can become a competitive advantage.

Because in today’s market, true innovation is about following the rules without compromising on vision.

Gianpaolo Todisco
Back

Who really owns AI-generated content?
Next

Simple photography is no longer “simple”: seventy years of protection and a shift in perspective in copyright law