Ireland is poised to grant An Garda Síochána expanded powers to use artificial intelligence to analyse biometric data. The Garda Síochána (Recording Devices) (Amendment) Bill 2025 is scheduled to be considered by the Seanad (Fourth Stage) – the penultimate stage before signing into law by the President – today.

The 2025 Bill is an amendment to the Garda Síochána (Recording Devices) Act 2023 which already permits An Garda to record people in public spaces through body-worn cameras and drones, to track vehicles via automatic number plate recognition, and to get live access to third-party CCTV. These powers already give gardaí powerful tools for surveilling the public. The additional powers which would be granted to gardaí by the 2025 Bill represent similarly fundamental concerns about the balance to be struck between individual privacy and public safety. But the 2025 Bill also suffers from serious shortcomings that undermine legal clarity and the protection of fundamental rights.

One of our primary concerns is that the 2025 Bill introduces a novel term “biometric analysis”. In the bill this is defined not as a particular kind of analysis but, rather, a three-part power that would allow an investigating garda to:

1. Categorise people based on their biometric data,
2. Use biometric data to identify people whose identity is not known, and
3. Use the biometric data of known individuals to “localise” them.

The range and seriousness of the privacy reductions which this could permit are highlighted if we take the example of what this power would allow using just facial biometric data recorded by CCTV footage. The new “biometric analysis” power would allow gardaí to search for and categorise suspects based on racial or ethnic identity, age or gender (to name a few characteristics), to use AI tools to identify a suspect based on biometric analysis from within that group and then to “localise” that identified person by tracking their movements.

A very basic issue with both the existing and proposed powers is that the use of biometric tools like facial recognition have repeatedly been shown to encode racial bias, and to be poor at accurately identifying people of colour, and women of colour in particular. This is to say nothing of the bias (whether intentional or not) of those using such tools. There is evidence that AI-assisted tools may also encode bias – including racial and gender bias. Even presuming the utmost good faith on the part of those using these tools, they have been shown to be unreliable and have the potential to lead to discriminatory outcomes – and to compound existing inequality.

It is partly given this potential that the EU AI Act and the EU Commission’s recently published draft guidelines on biometric identification recognise the use of AI by law enforcement authorities as “high risk”. The label “high risk” is not a generic or empty phrase. The EU has recognised that these technologies pose a high risk of harm to the health and safety or the fundamental rights of European and Irish citizens given both the severity of the possible harms they could occasion and the probability of such harms occurring.

In those circumstances we might expect to see both particular attention to detail and heightened safeguards in a piece of legislation that proposes to use biometric data and AI as part of national law enforcement. Unfortunately, neither is present.

For example, the bill narrows the definition of “biometric identification” which is used in the EU AI Act, limiting the meaning of “biometric identification” to the comparison of biometric data against a reference database of biometric data linked to named individuals. The requirement for ‘named individuals’ is not contained in EU law. This broader approach to understanding – and regulating – “biometric identification” is supported by the EU Commission’s draft guidelines and by the European Data Protection Board (EDPB), in their guidelines on the use of facial recognition technology.

This creates a tension with EU law and a real uncertainty concerning the ability of the 2025 Bill to withstand legal challenge.

A further conflict between the definitions contained in the EU AI Act and the 2025 Bill is contained in the “biometric analysis” power. While the EU AI Act specifically defines “biometric categorisation” systems as AI systems that assign individuals to specific categories on the basis of biometric data, the 2025 Bill does not define this activity and does not take into account that this categorisation is also considered a high-risk use of AI.

The safeguards contained in the AI Act which render the use of high-risk systems permissible are not present in the 2025 Bill – or existing legislation.

Other, simpler, ambiguities also trouble the 2025 Bill – the activity of “localising” a person, for example, is not defined. Even, allowing for the restrictions imposed by the existing 2023 Act, there is a real ambiguity about what this will allow gardaí to do. Will they be permitted to track identified individuals’ movements using facial recognition technology, gait analysis or other biometric tools only over a particular period, or only in a certain geographic area? Or, more concerning, would this allow a protracted “tracking” of a person’s movements, social interactions and activities? Either would present real and significant privacy infringements requiring careful justification to be considered permissible.

Some of the shortcomings we identify here could be remedied by the Regulation of Artificial Intelligence Bill 2026. Even if that bill succeeded in introducing the necessary safeguards for the use of high-risk AI systems, it could only ameliorate the fundamental ambiguities contained in the definitions used by the 2025 Bill through significantly rewriting them.

If it is to be done at all, biometric surveillance and AI should only be introduced into law enforcement in a careful, detail-oriented manner which centres fundamental rights and balances restrictions on personal rights with legitimate, proportionate justifications based on public safety. The 2025 Bill fails to do this – and would leave the Irish public vulnerable to discriminatory technologies and without the safeguards required by EU law.