EU AI Act Enforcement: First Surveillance Ban Targets Real-Time Biometric ID

EU AI Act Enforcement: First Surveillance Ban Targets Real-Time Biometric ID The European AI Office issued its first enforcement decision under the EU AI Act on June 12, 2026, banning the use of real-time remote biometric identification (RBI) systems in public spaces across three EU member states. The decision marks the beginning of active enforcement of the Act's strictest provisions. The Decision The enforcement action targets: Amsterdam, Netherlands: Live facial recognition deployed at three transit hubs for "security monitoring" Milan, Italy: Real-time gait recognition system used at two stadiums during events Warsaw, Poland: License plate recognition system integrated with predictive policing software All three systems were found to violate Article 5(1)(b) of the EU AI Act, which categorizes real-time remote biometric identification in public spaces as a prohibited practice except in narrowly defined law enforcement scenarios with judicial authorization. The EU AI Act's Prohibition The EU AI Act prohibits real-time RBI in public spaces for law enforcement purposes, with limited exceptions: Search for a specific missing person Prevention of a specific, substantial threat to life Targeting of a specific suspect in a serious crime investigation The three cities cited did not meet any exception. Amsterdam's system was used for general security monitoring without a specific threat justification. Milan's gait recognition was deployed at events with no individualized suspicion. Warsaw's system operated continuously without case-by-case judicial authorization. Penalties The enforcement decision requires: Immediate cessation of all three systems (30-day compliance window) Destruction of all biometric data collected without legal basis Submission of audit reports demonstrating compliance Monitoring visits from the European AI Office within 6 months Penalties for Article 5 violations can reach €35 million or 7% of global annual turnover, whichever is higher. The Office has not announced final penalty amounts, citing ongoing negotiations with the cited parties. Significance for AI Deployers The decision establishes several precedents: No grace period on prohibitions: Despite the Act entering force in stages, the prohibitions are enforceable immediately Broad interpretation of public space: The decision covers any publicly accessible location, not just government property Data destruction requirements: Organizations must actively destroy illegally collected data, not merely stop collecting it Private sector inclusion: The ban applies to both public authorities and private entities deploying AI in public contexts For organizations operating in the EU, this is a signal that the European AI Office is actively investigating and willing to act on prohibited AI practices — not merely issuing guidance. Industry Response European tech industry groups have called for clearer guidance on narrow exceptions. Several companies have active pilot programs for biometric access control in workplaces and airports. The enforcement decision does not address these scenarios directly, but the broad reading of "public space" has raised concerns about where workplace exemptions end and public space prohibitions begin. The next enforcement decisions are expected to address AI systems in employment contexts — specifically automated hiring and worker monitoring systems.