Automated Facial Recognition (AFR) – definition
Automated Facial Recognition (AFR), also known as facial recognition technology, refers to a set of computer-based methods used to detect faces in images, extract their features, and compare those features with other images or reference templates stored in a database. In practice, AFR includes at least three distinct stages: face detection, feature extraction, and matching. Technical literature and regulatory documents also distinguish related tasks such as 1:1 verification, 1:N identification, facial attribute classification, and the categorisation of images containing faces.
In the context of photo and video anonymisation, AFR plays an indirect but important role. To automatically blur faces, a system must first detect where they appear in a single frame or across a video sequence. This is typically done using machine learning models, most often deep learning. Such a model does not need to perform full identity recognition, but it relies on technical foundations similar to those used in automated facial recognition, especially at the face detection and localisation stages. For this reason, organisations implementing automatic face blurring should distinguish standard object detection from biometric recognition that leads to the identification of a person.
From the perspective of EU law, a face may be a source of biometric data if it is processed using specific technical means for the purpose of uniquely identifying a natural person. This follows from Article 4(14) of the GDPR, namely Regulation (EU) 2016/679. Therefore, not every use of an algorithm to detect a face automatically amounts to processing special category data. The key factors are the purpose and method of data use. If a system is used solely to detect and blur a face without identifying the person, the legal assessment may differ from a 1:N identification scenario against a reference database.
How AFR works in photo and video processing
In systems used for visual content anonymisation, automated facial recognition should primarily be understood as a family of image analysis techniques based on models trained on large datasets. In modern solutions, convolutional neural networks as well as detection and embedding architectures are dominant. These models make it possible to detect faces under varying lighting conditions, at different scales, from different head angles, and even when partially occluded.
A typical processing workflow looks as follows:
- face detection – the model locates a face and defines a bounding box or facial landmarks,
- inter-frame tracking – in video, the system links detections of the same face across consecutive frames,
- image normalisation – the face may be aligned or resized before further analysis,
- feature extraction – the model generates a numerical representation of the face, known as an embedding,
- matching – the embedding is compared with other embeddings using distance metrics such as cosine or Euclidean distance,
- decision – the system determines whether there is a match or no match based on a defined threshold.
In anonymisation tools, such as on-premise software for processing photos and video recordings, usually only the first stage and part of the second are required. Face blurring alone does not require the identification of a specific individual. This distinction is important for compliance with the data minimisation principle under Article 5(1)(c) of the GDPR.
AFR and face anonymisation
Automatic face blurring is not the same as AFR understood as biometric identification. However, the two areas are technologically related. An AI model used for face blurring must learn what a face is and where it is located in the frame. In most cases, this means training or using a pre-trained deep learning model on labelled image datasets.
In practice, three levels of processing should be distinguished:
- face detection – the system finds a face but does not determine identity,
- face analysis – the system may assess attributes or similarity,
- facial recognition – the system attempts to identify or verify a person.
For organisations involved in photo and video anonymisation, this distinction is practical. If the goal is to protect privacy by blurring faces, there is no need to implement identification functions. Limiting processing to detection and tracking usually reduces both legal and operational risk.
Key AFR parameters and metrics
Evaluating an AFR system requires measurable performance indicators. The right metrics depend on the task. Facial recognition and verification use different metrics than face detection for blurring purposes.
Area | Metric | Practical significance
|
|---|---|---|
Detection | Precision, Recall, mAP | Shows how often the system correctly detects faces and how often it generates false alarms |
1:1 Verification | FMR, FNMR, EER | Shows the trade-off between false acceptance and false rejection |
1:N Identification | Rank-1, Recall@K | Measures whether the correct person appears among the top matches |
Performance | Latency, throughput | Important when processing large collections of photos and recordings |
Video tracking | ID switch, track continuity | Affects the stability of face masking across frames |
Comparative studies often refer to the NIST Face Recognition Technology Evaluation conducted by the National Institute of Standards and Technology. NIST publishes recurring benchmark reports comparing algorithms, including false match rate and false non-match rate across different scenarios. These are important reference sources for assessing algorithm quality, although results depend on the test dataset and evaluation conditions.
Legal framework – GDPR and the EU AI Act
Assessing the lawfulness of automated facial recognition in the European Union requires reference to both the GDPR and the AI Act. These legal acts have different scopes. The GDPR regulates the processing of personal data, while the AI Act establishes requirements for AI systems based on risk level.
In the context of the GDPR, the following elements are the most important:
- Article 4(14) GDPR – definition of biometric data,
- Article 9(1) GDPR – the general prohibition on processing special categories of data, subject to the exceptions in Article 9(2),
- Article 5 GDPR – the principles of lawfulness, data minimisation, purpose limitation, and integrity,
- Article 25 GDPR – privacy by design and privacy by default,
- Article 35 GDPR – data protection impact assessment where processing is likely to result in a high risk.
The AI Act, namely Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024, introduces detailed rules for AI systems, including certain biometric uses. In the area of facial recognition technology, it is important to distinguish between remote biometric identification, biometric categorisation, and emotion recognition. Some uses are prohibited, some are classified as high-risk AI systems, and others are subject to transparency obligations or general safety requirements. The exact classification depends on the use case, the user, and the purpose.
Obligations for organisations using AFR
An organisation using AFR to analyse photos or video recordings must be able to demonstrate that the purpose, scope, and technical measures are proportionate. In practice, compliance means not only having a legal basis but also designing a system architecture that limits unnecessary processing.
The most commonly required actions include:
- determining whether biometric data is being processed within the meaning of the GDPR,
- defining the purpose – for example, face detection for blurring or person identification,
- carrying out a DPIA if the risk to individuals’ rights and freedoms is high,
- implementing access controls, encryption, and data retention policies,
- documenting the sources of training and test data as well as the model’s limitations,
- monitoring model quality, including errors and data drift,
- limiting logs to operationally necessary information, without storing personal data unless required.
In visual content anonymisation environments, implementing on-premise solutions is often practically important. This model can reduce data transfers to third parties and make it easier to meet information security requirements, although it does not in itself guarantee legal compliance.
Challenges and limitations of AFR
AFR is not an error-free technology. The quality of facial recognition depends on image resolution, face angle, occlusion, compression, lighting, and the quality of the training dataset. In video recordings, additional challenges include motion blur and instability in object tracking.
The main practical risks are:
- false matches and false rejections,
- uneven performance across different demographic groups, as described in NIST reports and academic studies,
- difficulty in interpreting results by non-technical users,
- excessive expansion of the original processing purpose, known as function creep,
- the risk of using face detection as a preliminary step towards identification without an appropriate legal basis.
For this reason, in privacy-focused applications, a minimal approach is recommended: detect the face, blur it, and avoid identification functions unless they are strictly necessary.
Normative references and sources
The following legal acts and documents provide the basis for assessing automated facial recognition in the context of photos and video recordings:
- Regulation (EU) 2016/679 (GDPR), 27 April 2016
- Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act), 13 June 2024
- NIST Face Recognition Technology Evaluation – benchmark reports published periodically by the National Institute of Standards and Technology
- ISO/IEC 19794-5 – Information technology – Biometric data interchange formats – Face image data
- ISO/IEC 30107-3 – Information technology – Biometric presentation attack detection – Part 3: Testing and reporting
- European Data Protection Board guidelines on biometric data processing and risk assessment, where relevant to the specific use case