A report has raised concerns regarding risks and data privacy associated with a new biometric patient identification system being implemented in Spain's autonomous cities of Ceuta and Melilla.

The project contract was awarded in 2021 to Dedalus and Facephi for the development of an AI-driven system designed to identify a minimum of 170,000 patients through facial recognition technology. An investigative report by the public interest journalism organization Civio [1] reveals that the system has been in operation at select primary care clinics in two cities since November of the previous year, though it remains in the pilot phase within major hospitals. The risks linked to AI facial recognition systems have been extensively documented. 

According to Databody Research, [2] since the pandemic there has been a significant increase in body-centric data collection, fueled by advancements in artificial intelligence. By the end of the decade, the markets for public health records, mobile health solutions, and biometrics are expected to surpass $500 billion. However, this rapid accumulation of data has resulted in various issues, including data breaches, escalating insurance costs, and incidents of workplace discrimination. Júlia Keserű [3] a Hungarian researcher said in her [4] report titled, From Skin to Screen: Bodily Integrity in the Digital Age, “The increased collection of bodily data poses significant risks to individuals and society as a whole, including cybersecurity breaches, data misuse, consent violations, discrimination against vulnerable populations, biometric targeting and pervasive surveillance.”

The report by Civio, part of its series on algorithms, characterizes the facial recognition system provided by the health service for Ceuta and Melilla  as presenting a very high initial risk. The review of the Data Protection Impact Assessment reveals inconsistencies and insufficient data protection measures that do not meet international standards. [5] Instituto de Gestión Sanitaria or INGESA has also been criticized for its lack of transparency regarding the specific purpose and implementation timeline of the project. Civio notes that INGESA did not respond to its request for comment. Additional concerns raised by Civio include the absence of a clear mechanism for obtaining patient consent, the potential for bias and exclusion linked to race and gender, and issues related to the security of biometric data, which has experienced breaches in the health sector previously.

Face biometrics is being recognized as a promising method for patient identification in healthcare globally. However, there are significant concerns about potential risks associated with data privacy. The Spanish Data Protection Agency [6] has expressed concern regarding the implementation of facial recognition technologies that lack adequate data protection measures. Law firm DLA Piper stated in their blog titled the Spanish Data Protection Authority Publishes Annual Report, “The AEPD is preparing to play a pivotal role in supervising high-risk AI systems, highlighting the need for enhanced technical capacity, coordinated oversight, and ethical implementation aligned with fundamental rights. In the field of biometrics, it has pushed for strong safeguards around facial recognition and other surveillance tools.”

In 2023, the organizer of Mobile World Congress in Barcelona was fined €200,000 following [7] the implementation of a facial recognition system for visitor access to the venue, as determined by the Spanish Agency for Data Protection. The system designed to collect biometric data from visitors was implemented in 2021 without a prior impact assessment, [8] as stated in the resolution from the AEPD. The agency determined that the conference breached multiple provisions of the General Data Protection Regulation.