The EU AI Act, the world's first major AI regulation, went into force on August 1, 2024. It bans real-time biometric identification in public spaces. But the exceptions for law enforcement are so broad that critics call them loopholes big enough to drive a surveillance state through.
Meanwhile, Clearview AI has racked up over €50 million in fines across multiple countries, and continues operating. The global pattern is clear: regulations exist, but enforcement lags. The surveillance infrastructure is being built faster than governance can catch up.
The Global Landscape
€35M+
Maximum EU AI Act fine (or 7% global revenue) [4]
€30.5M
Dutch fine against Clearview AI [3]
15
US states with facial recognition restrictions [5]
June 2025
China's new facial recognition law takes effect [6]
European Union: The AI Act
The EU AI Act is the world's first comprehensive regulation targeting artificial intelligence, including facial recognition. [1]
What It Bans
The AI Act categorizes AI systems by risk. "Unacceptable risk" applications are banned entirely, including: [1]
- Real-time remote biometric identification in public spaces
- Social scoring systems
- Emotion recognition in schools and workplaces
- Biometric categorization based on race, religion, sexual orientation
- Predictive policing based on profiling
The ban on "unacceptable risks" went into force on February 2, 2025. [4]
The Law Enforcement Exceptions
Here's where it gets complicated. Real-time biometric identification is banned except for law enforcement in specific circumstances: [1]
- Searching for kidnapping victims
- Preventing terrorist attacks
- Locating suspects of serious crimes
Amnesty International's response: "It is disappointing that the EU chose to prioritize the interest of industry and law enforcement agencies over protecting people and their human rights." [2]
Member States Already Violating It
Despite the EU-wide ban, several member states have adopted measures that directly violate it: [7]
- Hungary (April 2025): Banned LGBTQIA+ Pride events and authorized police to use real-time facial recognition to identify participants, a direct violation of Article 5 of the AI Act
- Czech Republic: Facial recognition ran at Prague's Václav Havel Airport for six months in conflict with EU rules, until police shut it down on August 1, 2025
- Austria: Passed legislation for "federal Trojan" spyware following a school shooting
Penalties
Companies violating the AI Act face fines up to €35 million or 7% of worldwide annual turnover, whichever is higher. [4]
The European Commission published 135 pages of official guidelines in February 2025 to clarify banned AI applications. [4]
Clearview AI: The Global Pariah
Clearview AI scraped billions of photos from social media to build a facial recognition database. Regulators worldwide have responded with fines, which Clearview has ignored.
The Fine Sheet
- Netherlands (2024): €30.5 million, Clearview's largest GDPR fine yet. Additional €5.1 million penalty threatened for continued non-compliance. [3]
- UK (2022): £7.5 million (~$10M) fine reinstated after appeal in October 2025 [8]
- France, Greece, Italy: Each issued fines or enforcement orders [8]
- Canada: Court upheld biometric data ban in January 2025 [8]
Dutch DPA's Findings
The Dutch Data Protection Authority found multiple GDPR violations: [3]
- Processed biometric data without valid legal basis
- Did not obtain consent from individuals whose images were collected
- Did not provide mechanisms for data subject rights (access, erasure)
- Transferred data outside EEA without adequate safeguards
Dutch DPA Chairman: "We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations." [3]
Clearview's Response
Clearview's Chief Legal Officer: "Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR. This decision is unlawful, devoid of due process, and is unenforceable." [3]
The company continues to operate in the United States, primarily selling to law enforcement.
United Kingdom: Expansion, Not Restriction
While the EU has moved to restrict facial recognition, the UK is moving in the opposite direction.
2024: First Parliamentary Debate
In November 2024, UK MPs held the first parliamentary debate on police use of live facial recognition since it was first deployed by the Metropolitan Police in 2016. [9]
2025: Expansion
Rather than restricting facial recognition, the UK is expanding it: [9]
- London (Summer 2025): The Metropolitan Police announced permanent live facial recognition cameras in Croydon, South London
- Cardiff: South Wales police expanded live facial recognition to international sports events
Promised Framework
In July 2025, UK Home Secretary Yvette Cooper acknowledged the government intends to create "a proper, clear governance framework" for facial recognition. [9]
But there's no timeline, and it's unclear whether the framework will be statutory (legally binding) or merely guidance.
China: New Regulations (But Not for the State)
China's new facial recognition law, the Security Management Measures Concerning the Application of Facial Recognition Technology, took effect on June 1, 2025. [6]
It's China's first dedicated legal framework for facial recognition. But it regulates commercial and social use, not state surveillance.
What It Requires
- Businesses must justify the necessity of facial recognition
- Bans use in sensitive locations: bathrooms, changing rooms, hotel guest rooms
- If other identity methods (passwords, national digital ID) work, facial recognition cannot be the sole option
- Mandatory transparency on data collection and storage
- Companies processing data of 100,000+ individuals must register with provincial authorities [6]
What It Doesn't Cover
The law does not restrict government or law enforcement use of facial recognition. China's state surveillance apparatus, including the extensive CCTV networks in Xinjiang and elsewhere, remains unrestricted. [10]
Brazil: The Fight for a Ban
Brazil has no general legislation on facial recognition, yet its use is widespread, including in schools. [11]
The Reality
In 2019, research revealed that 90% of people arrested using facial recognition in Brazil were Black. [11]
Brazil is operating facial recognition for law enforcement without meeting minimum transparency standards. [11]
The Legislative Fight
Brazil is debating Bill No. 2338/2023, modeled on the EU AI Act. Civil society groups are pushing for a complete ban on police use. [12]
The #SaiDaMinhaCara (Get Off My Face) initiative has mobilized over fifty lawmakers from different parties to introduce bills banning facial recognition in public spaces. [12]
The June 2024 Draft
Article 13, Section VII of the draft Brazilian Artificial Intelligence Act bans real-time biometric identification in public spaces, with exceptions similar to the EU AI Act. [12]
2025: Expansion Continues
Despite the legislative debate, facial recognition use is expanding: [13]
- Facial recognition drones deployed during Carnival 2025
- São Paulo's "Smart Sampa" system continues monitoring
Australia: eSafety Enforcement
Australia has taken aggressive action through its eSafety Commissioner rather than legislation.
October 2025: Notices Served
Four AI companies were served notices under Australia's Online Safety Act: [14]
- Character.AI
- Nomi
- Chai
- Chub.ai
eSafety Commissioner Julie Inman Grant warned companies must show how their systems prevent harms including sexualized conversations and suicidal ideation with minors. [14]
Penalties: up to $825,000 AUD per day for non-compliance. [14]
Broader Action
Australian regulators have been active against Clearview AI, joining the UK, France, and Canada in enforcement actions. [8]
United States: The Patchwork
The US has no federal facial recognition law. Regulation is a patchwork of state and city rules. [5]
Key Points
- 15 states have some form of restriction on police use [5]
- San Francisco was the first city to ban government use (2019)
- Boston, Oakland, and others followed
- Every known wrongful arrest due to facial recognition has been of a Black person
For detailed US coverage, see our companion article: Facial Recognition Bans in America: State by State
The Global Pattern
Regulation vs. Reality
The pattern worldwide is consistent:
- Laws exist, but enforcement lags - Clearview has been fined repeatedly and continues operating
- Exceptions swallow the rules - The EU ban has law enforcement carveouts; China's law doesn't cover state use
- Expansion often outpaces restriction - The UK is installing more cameras while debating governance
- Racial bias is documented everywhere - Brazil's 90% Black arrest rate mirrors US patterns
The technology is advancing faster than governance. By the time laws catch up, the surveillance infrastructure is already built.
What's Actually Banned Where
| Jurisdiction | Law Enforcement Use | Commercial Use | Public Space Surveillance |
|---|---|---|---|
| EU | Limited (exceptions) | Regulated | Banned (with exceptions) |
| UK | No restrictions | GDPR applies | No restrictions |
| China | No restrictions | Regulated (2025 law) | No restrictions (for state) |
| Brazil | No restrictions | No restrictions | No restrictions |
| US (Federal) | No restrictions | Illinois BIPA only | No restrictions |
| US (15 states) | Various limits | Varies | City bans only |
Looking Ahead
The EU AI Act represents the most comprehensive approach, but its law enforcement exceptions are significant. The UK is moving toward expansion. China regulates commercial use while maintaining state surveillance. The US has no federal framework.
The international consensus among civil society is clear, Human Rights Watch, Amnesty International, the Internet Freedom Foundation, and others have called for global bans on facial recognition in public spaces. [15]
But governments aren't listening. The surveillance infrastructure continues expanding while the regulatory debate continues.
References
- Biometric Update - Real-time remote biometrics banned in EU with AI Act
- Greens/EFA - A Ban on Biometric Mass Surveillance in Public Spaces
- TechCrunch - Clearview AI hit with its largest GDPR fine yet
- Biometric Update - EU issues guidelines clarifying banned AI uses
- TechPolicy.Press - Status of State Laws on Facial Recognition Surveillance
- China Briefing - China's Facial Recognition Regulations: Key Business Takeaways
- EU Perspectives - How EU Member States Are Quietly Expanding Surveillance
- Biometric Update - UK tribunal reinstates fine against Clearview AI
- Anecdotes - AI Regulations in 2025: US, EU, UK, Japan, China & More
- CNN - China's censorship and surveillance were already intense. AI is turbocharging them
- Privacy International - Toward Regulation: Addressing the Legal Void in Facial Recognition
- Biometric Update - Brazilian groups call for ban on facial recognition
- Interlira Reports - Facial Recognition in Brazil: Balancing Security, Privacy, and Regulation
- Digital Watch - Australia demands answers from AI chatbot providers over child safety
- Human Rights Watch - Time to Ban Facial Recognition from Public Spaces and Borders