APDP • Deliberation No. 2025-022 of 10 December 2025 on Bill No. 1087 concerning the remote biometric identification of persons wanted or reported in places accessible to the public

Deliberation No. 2025-022 of 10 December 2025 of the Personal Data Protection Authority (APDP) gives its opinion on the consultation of the President of the Parliament on Government Bill No. 1087 on the use of video protection and video surveillance of places accessible to the public for the detection, searching for and identifying persons wanted or reported by means of remote biometric identification systems.

* * *

SUMMARY

The APDP first analyses the pre-existing legal issues affecting the deployment of facial recognition in Monaco:

• Legal uncertainty resulting from the dual legal regime of video protection and video surveillance, and the tendency to install too many cameras;
• The alert list of wanted or reported persons is not subject to any control;
• Biometric surveillance processing is exempt from impact analysis;
• The risk of expanding surveillance measures through regulation;
• The risk of being mistakenly included on an alert list.

It then addresses the intrinsic problems with the provisions of Bill No. 1087:

• The discrepancy between the stated intentions, which are limited to a certain use of facial recognition, and the provisions of Bill No. 1656, which do not set sufficient limits;
• The issue of establishing alert lists, with a risk of broad interpretation as to the categories of persons who may be included, doubts about the ability to integrate and update INTERPOL notices, and the procedures for creating the photo database;
• The provision of video protection and video surveillance images to the Public Security Directorate via interconnections raises the risk of continuous video capture and a significant expansion of the uses of remote biometric identification;
• The addition of a 10° clause to Article 5 of Law No. 1.430, authorising the detection, search and identification of persons wanted or reported in accordance with the provisions of Title VI bis, creates a legal ambiguity that could suggest an expanded use of remote biometric identification by administrative authorities other than the Public Security Directorate, whereas Title VI bis strictly reserves its implementation to the latter;
• The proposed Article 8-6, which sets a 30-day retention period for data resulting from positive matches, lacks precision regarding the exact nature of this data and calls for clear guidelines, independent oversight and the publication of an annual report to ensure transparency and compliance in the use of remote biometric identification;
• The proposed Article 8-7 prohibits any interconnection of data processed by remote biometric identification with other personal files, but there is ambiguity as to the exact nature of this data and the creation of the alert list, which could involve indirect matching with other existing processing operations;
• Bill No. 1087 remains incomplete and vague, offering few guarantees, mixing various concepts without clear definitions, and leaving the door open to continuous monitoring of privacy and to extensive uses that are difficult to regulate, while providing for no penalties or mechanisms for accountability or redress in the event of error or abuse.

* * *

MORE DETAILS

¤ In the Preamble, the APDP presents the origins of Bill No. 1087 and offers a comparative analysis of the evolution of the use of artificial intelligence (AI) technologies worldwide (China, United States, Canada), as well as their regulation by European countries (AI Act (EU), France, Belgium, Luxembourg, Switzerland) since Bill No. 1087 was tabled on 19 December 2023 (pp. 3-7).

¤ Next, in Part I, the APDP reviews the pre-existing legal issues in Monegasque law that "prevent the smooth deployment of facial recognition in the Principality" (pp. 7–14):

— Legal uncertainty resulting from the legal framework governing video protection (Title IV of Law No. 1.430 of 13 July 2016 on various measures relating to the preservation of national security) and video surveillance (Chapter VII, Section IV of Law No. 1.565 of 3 December 2024 on the protection of personal data) in the Principality (A):

• The APDP considers this current dual system to be "artificial and a source of legal uncertainty": "Data controllers are effectively faced with two authorisation systems from the Minister of State, which are based on two different legal systems but concern a single type of location within the same (undefined) scope: "places open to the public'‘, which makes it "complicated, and in some situations impossible, to understand what falls under video protection or video surveillance."
• With regard to video surveillance systems installed in places open to the public, the APDP considers that authorisation from the Minister of State (Article 85 of Law No. 1.565, ministerial order of application pending) "should be limited to an acceptance in principle of the implementation (...), and should in no case proceed from an assessment of the proportionality of the system". In this regard, it calls for "the establishment of an equivalent to the Video Protection Commission in France, chaired by a magistrate, which assesses the proportionality of the system, or the reintroduction of an authorisation regime for this type of device within the APDP".
• The APDP also warns of the "tendency to over-install cameras" in places open to the public, which "could be reinforced if the expected Ministerial Order entrusted the assessment of the proportionality of the system to the DSP [Direction de la Sûreté Publique], which would find a new interest in it if it also had the right to interconnect with it."

— Limitations created by the choices made when adopting Law No. 1.565 of 3 December 2024 (B):

• With regard to the "alert list of wanted or reported persons" to be established by the Director of the DSP (Article 8-3, paragraph 1-4° of Bill No. 1087), and its use by the real-time remote biometric identification system, the APDP regrets that they are "totally uncontrollable, depriving the persons concerned of any effective remedy with regard to the respect of their fundamental rights and freedoms": neither the APDP (processing operations falling within the scope of Articles 9 to 15 and 18 of Law No. 1.430 do not fall within the APDP's jurisdiction) nor the Special Commission for National Security (CSSN) has the power to carry out this control (outside its scope of investigation as provided for in Article 16 of Law No. 1.430).
• The APDP also considers it "inappropriate" that police/justice processing (including the proposed system) should be exempt from impact assessments. It bases its position on "European texts (which) require that the “absolute necessity” of any biometric surveillance processing be demonstrated in advance’ and "therefore reiterates its requests for the reintroduction into Law No. 1.565 of the obligation for so-called police/justice processing Justice processing to carry out an impact assessment to be attached to referrals for the Authority's opinion, or that, at a minimum, this obligation be included in the current draft law, if it is adopted, with regard to the deployment of the proposed system."
• The APDP also highlights the major risk of extending surveillance measures by regulatory means "for the rights and freedoms of the individuals concerned, in an area as intrusive as privacy protection", by "giving the system a scope that the National Council could not have anticipated and might not have wished to give it."

— The risk of being mistakenly included in an alert list cannot be ruled out (C):

• The creation of alert lists would be based on two processing procedures established by Ministerial Orders No. 2019-330 (Central Police and Criminal Records File) and No. 2019-333 (File of Wanted or Reported Persons) of 15 April 2019.
• However, the APDP criticises the lack of adequate supervision, particularly with regard to the quality of information and the correction of errors in police files.
• With regard to the indirect right of access of data subjects, the APDP considers that "the wording of Articles 59 and 60 of Sovereign Order No. 11.327 implementing Law No. 1.565, by creating a procedure contra legem, no longer allows it to carry out genuine checks within the meaning of Article 74 of Law No. 1.565".

¤ Finally, in the second part (II), the APDP comments on the problems inherent in the provisions of Bill No. 1087 (pp. 15–24):

— The difference between stated intentions limited to a certain use of facial recognition and a bill that does not set sufficient limits (A):

• According to the APDP, "The explanatory memorandum summarises the draft law as “simply automating the search for individuals through facial recognition instead of DSP agents”", yet it notes that the provisions of Bill No. 1087 "are not limited to the use of facial recognition".
• The concept of "remote biometric identification" is not defined, and "cannot be reduced to facial recognition technology but includes many others, such as the analysis of the behaviour or temperature of the people being filmed."
• The APDP considers that "‘the DSP could ultimately implement any other remote biometric identification technique (or even predictive policing technologies, etc.) without contravening Bill No. 1087, which only formally prohibits the implementation of a social scoring system."
• There is no guarantee that the use of this technology will be limited to the DSP, since its use for the detection of individuals is open to "competent authorities" "and therefore potentially to the Municipal Police, for example".
  Bill No. 1087 does not distinguish between ‘real-time and delayed use of the technology in question, concepts that are not defined and therefore conflate completely different uses of the technology.’
• Bill No. 1087 does not distinguish between "real-time and delayed use of the technology in question, concepts that are not defined and therefore conflate completely different uses of the technology".
• The use of remote biometric identification would be possible for offences punishable by one year's imprisonment, which covers approximately 80% of offences under the Criminal Code. The APDP considers that this scope does not correspond to an ‘imperative security purpose’, contrary to the requirements of the AI Act, which targets offences punishable by at least four years' imprisonment.
• The penalties for illegal implementation of this biometric system are less severe than those existing in standard law for less intrusive devices.
• The APDP also deplores the absence of penalties for improper use or access by DSP personnel and the right to compensation for the persons concerned.
• Finally, the text does not provide for the information of the data subjects, even though they "must know that they are entering a geographical area subject to remote biometric identification, which is planned to be implemented permanently throughout the territory."

— The issue of establishing alert lists (B):

• The APDP considers the scope of Bill No. 1087 to be too broad, as it allows "any type of person “reported” to the judicial authorities for an offence punishable by a sentence of one year or more of imprisonment to be included on the list", "without them being sought for arrest or even necessarily being the perpetrator of the offence (whereas witnesses and victims cannot be subject to search warrants under the Code of Criminal Procedure). Persons subject to judicial supervision thus appear, for example, to be subject to permanent monitoring through the proposed facial recognition system." By comparison, in France, integration is limited to persons subject to acts or decisions leading to their arrest.
• Similarly, Bill No. 1087 allows for "the inclusion on the “alert list” of persons sought or reported in connection with “investigations conducted in the context of inquiries into the causes of death, missing persons, disturbing disappearances or runaways”", but without specifying "which categories of persons may be sought". Nothing seems to prevent the DSP from adding to the list the faces of all the people with whom the victim has interacted in order to also track their movements. There would also be "a risk of permanent monitoring of persons with mental disabilities."
• The APDP also notes that Bill No. 1087 does not specify the procedures for creating the alert list and asks: "Are the details relating to wanted or reported persons taken from the aforementioned databases (’Wanted or Reported Persons Database‘, ’Central Police and Criminal Records Database")? Furthermore, with regard to persons who are being held in custody, who takes the photographs and under what conditions? What are the technical characteristics of a photo that allows the use of facial recognition technology? If these characteristics (the purpose of which is to avoid a high rate of false positives) are not met, are the persons still placed on the list or not?"
• The APDP warns against the creation of a photo database, in particular the prohibition on collecting images from social media or the internet, due to the risk of errors and misuse.
• In flagrant cases, uncertainties remain regarding the collection of photos, their inclusion in the alert list and "the remote biometric identification system at stake, i.e. in real time or retrospectively."
• The Bill does not specify how variable lists related to sporting events or the protection of the Princely Family will be managed, nor the origin of the information used (processing in Monaco, France, European authorities?).
• The extension to persons reported abroad (INTERPOL notices) raises legal and technical doubts, particularly regarding the ability to integrate and update this data.
• Inclusion on the alert list is discretionary, with no clearly defined criteria.
• The quality of images provided by third parties is not guaranteed, increasing the risk of false positives. The APDP regrets that Bill No. 1087 does not provide for any image quality control or impact analysis requirements.
• Finally, the use of INTERPOL yellow notices (missing persons, often minors, or identification of persons unable to identify themselves) poses a problem for the creation of this list in the absence of regulations in this area in the Principality.

— Provision of videosurveillance and video protection images to the Public Safety Department (DSP) (C):

• Bill No. 1087 provides for the provision of video protection and video surveillance images to the DSP "by means of equipment and technical links designed to provide them under the conditions laid down by ministerial order" (amendment to Article 5 and new Article 5 bis of Law No. 1.430);
• The APDP notes that "making them available by means of technical equipment and links appears to be an interconnection allowing the DSP, at a minimum, to directly retrieve the video stream from the entities concerned."
• It then identifies the risk of "permanently capturing the video surveillance feed of entities, permanently expanding the network of cameras it operates, and extending, without the public's knowledge, the use of remote biometric identification in many places open to the public, such as hotel lobbies and restaurants".

— The addition of a 10° to Article 5 of Law No. 1.430 concerning video surveillance systems implemented by the competent administrative authorities, authorising the detection, search and identification of persons wanted or reported in accordance with the provisions of Title VI bis (D):

• The APDP questions the relevance of this addition, which could suggest a broader use of remote biometric identification by administrative authorities other than the Public Security Directorate (DSP).
• The title of the draft law "on the use of video protection and video surveillance of places accessible to the public for the detection, search and identification of persons wanted or reported by means of a remote biometric identification system"(...) suggests that any video surveillance system can be equipped with a facial recognition system, regardless of who is the data controller."
• The APDP also points out that, according to Ministerial Order No. 2017-576, only the DSP can request authorisation to install video protection systems, which raises questions about the possibility for any other competent public authority to implement such devices.
• The APDP concludes on this point that "there should be no doubt, and therefore no legal uncertainty, as to the impossibility for a competent administrative authority other than the DSP to implement remote biometric identification for detection purposes".

— The proposed Article 8-6 stipulates that data that has been positively matched by the system (...) shall be retained for thirty days from the date of the positive match, in principle (E):

• The ADPD questions the nature of this data: "The explanatory memorandum states that this article is intended to “regulate the conditions for archiving positive matches”, which does not clarify their nature. Are we talking about video surveillance images, which already have a retention period of thirty days, or elements related to the remote biometric identification system, such as a software overlay on video images to identify an individual in a crowd on film, or the display of the Artificial Intelligence confidence rating regarding the similarity between the the person being sought and the person identified?"
• In addition, the APDP raises the risk that "remote biometric identification could be used as an intelligence technique that would escape any control by the Special National Security Commission and any recourse to a judge."
• The APDP recommends "monitoring by an independent body", "a detailed assessment of positive matches by the system but also of false positives detected, before and after intervention by a DSP operator, and, where applicable, the reason that led the Artificial Intelligence to make a mistake, in order to maintain a continuous requirement for compliance with the chosen solution", and to provide for "the publication of an annual public report on the use of this technology and its statistics".

— The proposed Article 8-7 stipulates that the data processed may not be interconnected with other personal data or files containing personal data (E):

• Here too, the APDP questions "the nature of the data involved: is it video images, elements specific to a software overlay, information contained in the alert list, or all of these elements at once?"
• Furthermore, although this data used for criminal investigation and intelligence purposes "may not be interconnected in the sense of data protection, i.e. transmitted directly via a technical link", it "appears to be linked to other processing operations".
• The APDP regrets that the methods for creating the alert list are not specified, and considers it "difficult, given the current state of the draft text and the statements made by the authorities' representatives, to imagine that this “alert list”, in terms of its constitution, is independent of third-party processing, the existence of which it assumes, such as the “File of wanted or reported persons”, or even files of stadium bans operated by foreign entities, or INTERPOL photographs."

— The provisions of Bill No. 1087 are too incomplete to regulate such a sensitive subject (G):

• It is noted that "None of the draft texts examined by the APDP goes as far as the Monegasque law with so few associated guarantees."
• The APDP considers that "the Bill mixes all the concepts without ever defining them, talking haphazardly about remote biometric identification in real time and retrospectively, for judicial and administrative police missions, focusing on the DSP's video protection system but open to other video protection and video surveillance systems."
• It deplores the absence of "justification for the absolute necessity of its implementation" and "use cases (...) highlighted. Nothing justifies the necessity and proportionality of the system, in particular why it must be permanent and not deployed only when necessary, according to the principle of subsidiarity, i.e. only if a less intrusive solution than biometrics is impossible in a specific case."
• It highlights "fundamental problems regarding respect for the fundamental rights and freedoms of the persons concerned, and it is easy to imagine situations where the system is used legally but too extensively, allowing continuous monitoring of the private lives of persons identified in the public sphere" (movements, interactions, lifestyle habits).
• It deplores the lack of control over "interactions with intelligence techniques – and the processing they feed into", the lack of sanctions for misuse and misappropriation by DSP staff, the lack of "rights to compensation for individuals who are victims of harm, such as undue police custody, based on a software error undetected by a DSP supervisor, and more broadly to a system of accountability, whether of the DSP and its agents as data controllers, or of the service provider responsible for the AI used."
• Finally, "as remote biometric identification is interconnected with video protection and video surveillance systems outside the DSP, presumably on the latter's information system, the Authority questions the possible liabilities in the event of a security breach of these third-party systems, or leaks of video images related to investigations."

* * *