The Facial Recognition Crackdown: Bans, Restrictions, and a World Diverging

Cameras recognize your face. They compare it against a database. They flag or clear you in milliseconds. The entire process happens without your knowledge, your consent, or even your awareness that it occurred. For years, facial recognition operated in this legal gray zone — powerful enough to reshape law enforcement and public safety, yet largely unregulated. That era is ending, unevenly, and with very different conclusions depending on where you live.

The world in 2026 is splitting into distinct camps: those imposing strict bans, those building patchwork rules, those expanding use aggressively, and those with no rules at all. The divergence has enormous consequences for civil liberties, for technology companies, and for any country caught in between.

The EU Draws the Hardest Line

The European Union’s AI Act, which entered full force in 2025 and began imposing binding obligations in 2026, contains one of the most significant prohibitions in the history of surveillance technology. Real-time remote biometric identification — the live scanning of faces in public spaces against law enforcement databases — is, with narrow exceptions, banned across all EU member states.

The exceptions are deliberately tight. Authorities may deploy real-time facial recognition only in cases of targeted searches for victims of specific serious crimes, prevention of specific terrorist threats, or identification of suspects in crimes carrying a penalty of at least three years imprisonment — and only with prior judicial or independent administrative authorization. Retroactive use (applying facial recognition to recorded footage after the fact) is permitted in a broader range of serious crime investigations but still requires authorization.

The practical effect: police forces across 27 countries can no longer operate the live facial scanning systems that had become common in public transport hubs, stadiums, and shopping centers. Several deployments — including controversial pilots in German railway stations — have been shut down or placed under legal review.

GDPR compliance requirements apply on top of the AI Act’s prohibitions. Biometric data is classified as “special category” data requiring explicit consent — a standard essentially incompatible with mass surveillance scanning of unconsenting passersby.

The United States: No Federal Floor, Local Chaos

The United States has produced almost the opposite outcome: no federal framework, and a chaotic patchwork of city and state rules that creates compliance nightmares for any company operating nationally.

San Francisco’s 2019 ban on city government use of facial recognition remains among the most cited, but it applies only to city agencies — not to federal authorities operating within San Francisco, not to private businesses, not to landlords. Chicago’s Biometric Information Privacy Act (BIPA) is broader, requiring informed written consent before any private entity collects biometric data from Illinois residents, and enabling class action lawsuits with statutory damages. BIPA has generated over a billion dollars in settlements since its passage.

Other states have followed with varying rules. Texas and Washington have their own biometric privacy laws. A handful of cities — Somerville, Portland, Boston — have enacted bans on government use. Meanwhile, federal agencies — the FBI, ICE, TSA, and Customs and Border Protection — operate facial recognition programs at airports, land borders, and for criminal investigation with minimal statutory constraint.

The result is predictable: facial recognition is simultaneously banned and aggressively deployed within the same country, sometimes within the same city. Federal law enforcement and national security use proceeds; local police in ban jurisdictions work around restrictions by accessing state or federal databases; and private companies navigate a state-by-state compliance map that changes monthly.

Congress has introduced multiple federal biometric privacy bills. None have passed. The political coalition needed — civil liberties advocates on the left, anti-surveillance conservatives, and technology industry lobbyists all pulling in different directions — has not materialized.

China: Mandatory, Expanding, Legally Codified

China has taken the opposing path. Facial recognition is not merely permitted — it is mandatory in an expanding range of public spaces, integrated into broader digital governance infrastructure, deployed at transit hubs, residential compounds, schools, and workplaces. The technology underpins both law enforcement operations and routine administrative functions.

Chinese regulations introduced in 2021 and extended in subsequent years do impose some rules on collection and storage — prohibiting unnecessary collection and requiring notice in some contexts — but these rules are enforced selectively and do not meaningfully constrain state use. The legal framework is designed to govern private sector overreach, not to limit government surveillance.

Chinese facial recognition systems, developed by companies including Hikvision, Dahua, and SenseTime, are also exported globally — to governments in Southeast Asia, Africa, and the Middle East — raising concerns about the international export of surveillance norms alongside the technology itself.

India, the Middle East, and Expanding Deployments

India has deployed facial recognition at airports under the DigiYatra program, which processed over 200 million passengers by 2025, and is expanding the technology to public events, railway stations, and through the Crime and Criminal Tracking Network. India lacks a dedicated biometric privacy law; the Digital Personal Data Protection Act passed in 2023 creates a general framework but leaves facial recognition largely unaddressed in operational terms.

Gulf states present a similar pattern: technically sophisticated deployments at borders and in smart city infrastructure, with legal frameworks that do not provide meaningful citizen redress. In the UAE, Saudi Arabia, and Qatar, facial recognition has been integrated into national identity infrastructure with limited independent oversight.

Corporate Retreats — and Quiet Returns

The corporate narrative around facial recognition shifted dramatically in 2020. Amazon paused sales of its Rekognition facial recognition tool to law enforcement, citing the need for federal regulation. IBM exited the facial recognition business entirely, announcing it would no longer develop or sell general-purpose facial recognition or analysis software. Microsoft restricted law enforcement sales pending federal legislation.

These announcements were widely covered as a technology industry reckoning. The reality by 2026 is more nuanced. Amazon quietly resumed law enforcement sales after its one-year moratorium expired with no federal law passed. The facial recognition market grew substantially: Clearview AI, which built a database of billions of images scraped from social media, expanded its law enforcement customer base to agencies in dozens of countries despite ongoing legal challenges in the EU and Australia. The corporate retreats were mostly pauses, not exits.

The Accuracy Gap and the Bias Problem

Underlying the regulatory debate is a technical reality that regulators in stricter jurisdictions cite as a core justification for bans. Facial recognition systems perform unevenly across demographic groups. Studies by MIT Media Lab researcher Joy Buolamwini and subsequent audits by the National Institute of Standards and Technology (NIST) documented error rates significantly higher for darker-skinned women compared to lighter-skinned men — in some systems, false positive rates differing by a factor of ten or more.

The consequences of these errors are not symmetric. A false match in a law enforcement context can mean wrongful detention. Multiple documented cases in the United States — Robert Williams, Porcha Woodruff, and others — involved wrongful arrests based on facial recognition misidentifications. In each case, the misidentified individual was Black.

The EU AI Act’s prohibition on real-time use reflects in part this documented accuracy problem. The argument: a technology with known, demographically skewed error rates should not operate in high-stakes law enforcement contexts without meaningful accuracy thresholds, audit requirements, and human review mechanisms that most jurisdictions have not established.

A World Without a Common Standard

The divergence in 2026 is not a temporary coordination failure. It reflects genuinely different value systems — European data protection culture versus American federalist legal structure versus Chinese state surveillance integration versus developing world institutional capacity gaps. These systems are unlikely to converge.

For technology companies, the divergence creates compliance complexity that increasingly requires building jurisdiction-specific products and policies. For governments, it creates a market of surveillance technology suppliers operating under widely varying ethical constraints. For citizens, it means that the degree to which your face becomes a surveillance instrument depends almost entirely on your geographic location.

Sources & Further Reading

• EU AI Act (Regulation 2024/1689) — Official Journal of the European Union
• NIST Face Recognition Vendor Test: Demographic Effects — NIST
• Wrongfully Arrested Because Face Recognition Can’t Tell Black People Apart — ACLU
• America’s Patchwork of Facial Recognition Laws — Brookings Institution
• Amazon Ends Moratorium on Police Use of Facial Recognition — The Guardian
• Understanding Facial Recognition Technology — Privacy International