GDPR and Facial Recognition: The Line PIs Miss

Here's a belief that's quietly killing perfectly legitimate investigative work: the idea that the moment you run AI-assisted facial analysis on an image, you've stepped into a GDPR minefield. Investigators pull back. Cases stall. Evidence that could answer a direct, specific question goes unexamined — not because the law requires it, but because someone misread what the law actually says.

EU regulators aren't coming for facial comparison inside your case file. They're coming for something very different. And understanding exactly what that difference is — technically, legally, and practically — is what separates the investigator who uses powerful tools confidently from the one who avoids them out of fear that turns out to be unfounded.

The Myth, Stated Plainly

The myth goes like this: "If I use any AI on faces, I'm automatically in GDPR trouble." It's understandable. GDPR Article 9 lists biometric data as a special category requiring heightened protection, and the phrase "biometric data" sounds like it should cover anything a computer does when it looks at a face. But that reading is wrong — or at least, critically incomplete.

Think about a forensic document examiner. Hand them two signed contracts already sitting in evidence, and they'll tell you whether the same person signed both. Nobody calls that a privacy violation. Now imagine that same examiner photographing every handwritten document in a city, building a searchable signature archive of every resident, and running queries against it. Same underlying skill. Completely different legal and ethical universe.

Facial comparison inside a case file is the first examiner. Mass web scraping is the second. The technology touching the face is almost irrelevant. The dataset boundary is everything. This article is part of a series — start with Stress Test Facial Comparison Method Against Deepf.

What GDPR Article 9 Actually Says — And Doesn't

Here's where most people stop reading the regulation too early. Article 9's special-category protections apply to biometric data "processed for the purpose of uniquely identifying a natural person." That phrase is doing enormous legal work, and regulators have started leaning on it hard.

Running a comparison function — does Image A depict the same subject as Image B, both already in your possession — is structurally different from querying an unknown face against a mass database to produce an identity from scratch. The first is a closed-loop analytical question about evidence you already hold. The second is an open-ended identification sweep across a population. GDPR's drafters understood this distinction; it's baked into the text. The problem is that most practitioners never get past the words "biometric data" before they've already decided the regulation applies maximally.

Skadden's analysis of recent EU and UK GDPR decisions reinforces this reading: courts and regulators are increasingly focused on the context and purpose of processing, not just the category of data being touched. Purpose limitation — GDPR Article 5(1)(b) — has become the load-bearing legal concept in facial analysis cases. Data collected for one specific purpose cannot be repurposed for a broader one. That principle cuts both ways: it restricts indiscriminate scrapers, and it protects controlled, documented, case-specific comparison.

The EU AI Act Makes the Split Even Clearer

If GDPR created the conceptual distinction, the EU AI Act drew it in permanent marker. The Act's risk-tier framework explicitly classifies real-time remote biometric identification systems operating in public spaces as high-risk — and in many law enforcement contexts, outright prohibited. That's the regulatory hammer everyone's been reading about.

But notice what's being described: a system that identifies people in real time, remotely, across public space, with no prior relationship between the system and the subjects. That is surveillance infrastructure. That is mass collection. The Act's prohibitions are calibrated to that architecture.

Controlled, documented, case-specific image comparison — where you have Image A, you have Image B, both came from your case file, and you want to know if they show the same person — sits in a structurally different category under the Act's own framework. The regulation distinguishes where and how broadly a system operates, not simply whether AI is involved in analyzing a face. White & Case's analysis of the EU Digital Omnibus proposals notes that upcoming revisions to GDPR and the AI Act are further sharpening these distinctions — regulators are actively working to reduce legal ambiguity around exactly this kind of tiered processing question. Previously in this series: Face Images Personal Data Gdpr Pseudonymisation.

"The EU AI Act introduces a tiered risk framework that classifies AI systems based on their potential impact, with the highest scrutiny reserved for systems that could affect fundamental rights at scale — particularly real-time biometric identification in publicly accessible spaces." — White & Case, EU Digital Omnibus Analysis

Data Minimization: The Practical Discipline That Makes This Work

Understanding the legal distinction is necessary. Actually operating within it requires discipline. Three principles define the difference between an investigator who's legally exposed and one who isn't — and they map directly onto GDPR's own framework.

Here's where it gets interesting. That third principle — documentation — isn't just a compliance box to tick. It's actually what makes facial comparison evidence stronger in a legal context. A comparison conducted with a defined scope, on a controlled dataset, for a specific stated purpose is far more defensible than an undocumented query run against an undefined pool of images. The legal discipline and the evidentiary discipline turn out to be the same discipline. (That's the kind of alignment that should make investigators feel good about doing things right.)

For a deeper look at how facial comparison fits within a responsible investigative workflow, the mechanics of facial comparison as an investigative tool are worth understanding in detail — particularly how the technology is designed to function within case-bounded parameters rather than as an open search engine.

Where the Real Risk Lives — And It's Not Where You Think

The regulatory cases that have generated headlines — the enforcement actions, the massive fines, the landmark rulings — share a common architecture. A company scrapes millions of faces from the open web without consent. A platform builds a searchable identity database from public social media. A vendor sells query access to that database to any paying customer with no documented purpose. Skadden's review of landmark EU data decisions consistently identifies scale and indiscriminate collection as the triggering conditions for maximum regulatory exposure.

What those cases are not about is an investigator comparing two photographs already in evidence to determine if they show the same person. The legal exposure lives in the dataset boundary, not in the fact that mathematics ran across a face. Up next: Biometric Privacy Crackdowns Coming For Investigat.

Look, nobody's saying this is entirely simple. There are edge cases. Using facial analysis on images obtained in legally questionable ways imports those legal problems regardless of how controlled your comparison methodology is. Expanding your comparison pool mid-investigation by pulling new images from outside your case file changes the analysis. The moment your "comparison" starts functioning as an identification sweep — searching an unknown face against a broad population to produce a name — you've crossed into the higher-risk category the regulations are actually targeting.

But the baseline case — two images, your case file, specific question — is not the scenario regulators are worried about. Understanding that distinction isn't just legally useful. It's what separates careful, precise investigative work from the kind of dragnet surveillance that GDPR was written to stop.

So here's the question worth sitting with: when you're working a case involving faces, where do you personally draw the line between responsible comparison and going too far? Because the investigators who have a clear, articulable answer to that question — not a vague sense of caution, but a real answer — are the ones who can use powerful tools confidently, document their methodology cleanly, and hand their evidence to a court without flinching.

The forensic document examiner comparing two signatures in evidence isn't nervous about handwriting analysis. She's done the work to know exactly what she did, why she did it, and what question it answered. That confidence isn't bravado. It's precision. And precision, as it turns out, is what GDPR was designed to reward all along.