Domain 1 of Annex III AI Act is one of the most fleshed-out domains in the Commission guidelines of 19 May 2026. It covers three different technologies: remote biometric identification, biometric categorisation and emotion recognition. The delineation between prohibited practices (Article 5), high-risk (Annex III) and out of scope is particularly important here.
For the general framework, see the main article on the Article 6(3) filter. For all eight domains, see the hub overview.
The Three Use Cases of Domain 1
- Point 1(a) Remote biometric identification (RBI)
- Point 1(b) Biometric categorisation based on sensitive attributes
- Point 1(c) Emotion recognition
Point 1(a): Remote Biometric Identification
RBI is identification of persons at a distance without their active cooperation, based on biometric data. The guidelines establish three elements.
First: 1-to-1 verification (confirming a claimed identity, such as smartphone unlock or passport-based border control) does NOT fall within Point 1(a). That is verification, not identification.
Second: 1-to-many identification (searching for a person in a database) does fall within Point 1(a), regardless of whether real-time or post-hoc.
Third: for real-time RBI in publicly accessible spaces by law enforcement, the prohibition rule of Article 5(1)(h) applies, with limited exceptions. Post-hoc identification by law enforcement is high-risk under Point 1(a), not prohibited.
High-risk:
- Facial recognition in CCTV for tracking missing persons after the fact
- Biometric identification at airports (other than passport-based border control)
- Gait recognition for tracking suspects
- Voice identification in recorded conversations
Outside Point 1(a):
- Face unlock on your own smartphone or laptop
- Two-factor authentication with fingerprint
- Border control with biometric passport where the user presents themselves
Point 1(b): Biometric Categorisation
This concerns systems categorising persons into groups based on biometric data, insofar as that categorisation touches sensitive or protected attributes.
High-risk:
- AI categorising persons by age bracket or gender from camera footage
- AI inferring ethnic or religious background from facial images
- AI predicting social or demographic features from voice data
Watch for prohibition: Some biometric categorisation applications are prohibited under Article 5, such as categorising persons based on biometric data to infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation. That is not high-risk but immediately prohibited.
Point 1(c): Emotion Recognition
AI detecting emotions or mental states from biometric signals (face, voice, heart rate, skin conductance).
High-risk:
- Emotion recognition for security screening in public spaces
- Emotion recognition in legal or medical contexts
- Emotion recognition in insurance or credit applications
Prohibited: Emotion recognition in workplaces or educational institutions is in principle prohibited under Article 5(1)(f), with exceptions for medical or safety reasons. The broad workplace and education context means many AI pitches in this domain immediately founder on Article 5, not Annex III.
For the Dutch context, the Dutch DPA (Autoriteit Persoonsgegevens) published a detailed report on emotion recognition outlining the risks and legal limits.
Sector-Specific Pitfalls
Pitfall 1: Not Everything That Looks "Biometric" Is Biometric
The AI Act defines biometric data via GDPR: personal data resulting from specific technical processing of physical, physiological or behavioural characteristics enabling unique identification. Pure demographic categorisation without identifiable biometric signature (e.g. clothing recognition) doesn't fall within it.
Pitfall 2: Post-Hoc and Real-Time Have Different Regimes
For real-time RBI in publicly accessible spaces, the prohibition and exception rules of Article 5 apply. For post-hoc RBI, high-risk classification under Annex III applies. For compliance it therefore matters at what moment the identification occurs.
Pitfall 3: Emotion Detection Often Sold Under Other Names
Tools measuring "engagement", "attention", "stress" or "well-being" based on facial analysis are de facto often emotion recognition. The guidelines state that substantive function is decisive, not the marketing claim.
What to Do
Categorise per system
Per AI application with biometric input: 1-to-1 verification or 1-to-many identification? Real-time or post-hoc? At which location?
Check Article 5 first
For biometric categorisation and emotion recognition, check first whether the application falls under a prohibition rule. The Article 6(3) filter is then irrelevant.
Document GDPR legal basis
Biometric data is special-category personal data under Article 9 GDPR. The AI Act sits on top, not instead.
Test your AI against the Article 6(3) filter
Free interactive self-assessment, updated for the Commission guidelines of 19 May 2026. 9 steps, personal report with reasoning, vendor questions and next steps.