12.1 AI, Biometrics & Emerging Threats

Artificial intelligence is not just changing what organisations can do with data — it is creating entirely new categories of privacy threat that existing laws were never designed to address. Understanding these threats is essential for anyone navigating privacy in the next decade.

Facial recognition at scale

In 2020, investigative journalists revealed that Clearview AI had scraped approximately 30 billion images from social media platforms and public websites without consent, building a facial recognition database sold to law enforcement agencies across the United States and beyond. The company's technology allows police to photograph a stranger and instantly match them to social media profiles — bypassing any traditional anonymity that a public space once provided.

The risks extend beyond law enforcement. In her landmark Gender Shades study (2018), researcher Joy Buolamwini of the MIT Media Lab demonstrated that leading facial recognition systems misidentified darker-skinned women at error rates up to 34.7%, compared to less than 1% for lighter-skinned men. Algorithmic bias means that those most at risk from surveillance — minorities, marginalised communities — are also least accurately served by it.

Beyond faces: emotion and gait recognition

Facial recognition is only one application. Emotion recognition software claims to infer psychological states from facial micro-expressions, and is already being deployed in hiring interviews and classroom monitoring — despite significant scientific scepticism about its validity (Crawford, 2021). Gait recognition can identify individuals from CCTV footage by the way they walk, even when faces are hidden.

The permanence problem

Biometric data presents a unique privacy challenge: it is permanent. You can change your password, cancel your credit card, even change your name. You cannot change your face, your iris pattern, your fingerprints, or your DNA. Once biometric data is compromised, the harm is irreversible. This is why GDPR Art. 9 treats biometric data used for identification as a special category requiring heightened protection.

Predictive profiling and the brain frontier

AI systems now analyse behavioural patterns — browsing habits, typing speed, sleep patterns from fitness trackers — to build predictive profiles that anticipate your decisions, political views, and vulnerabilities before you are conscious of them yourself. On the horizon, brain-computer interfaces such as Neuralink propose direct neural data collection — raising questions about the last private space: your own mind.

The EU AI Act (2024)

The EU AI Act — the world's first comprehensive AI regulation — classifies AI applications by risk level. Among its prohibited uses: real-time biometric identification of individuals in publicly accessible spaces by law enforcement, subject to narrow exceptions. The Act came into force in August 2024, with most provisions applying by 2026. For more on evaluating AI-generated claims, see Critical Thinking: The Foundations.

Your takeaway

The emerging frontier of AI-driven surveillance demands new thinking about what privacy means when your face, your walk, your emotions, and eventually your thoughts can be read from a distance.