Aena Fined €10 Million for Unlawful Use of Facial Recognition in Spanish Airports

The event concerns the use of an AI system (facial recognition biometric system) whose deployment did not comply with required data protection impact assessments, a legal obligation intended to protect fundamental rights. While no direct harm such as data breaches or privacy violations has been reported, the failure to comply with legal frameworks constitutes a violation of rights under applicable law. This fits the definition of an AI Incident because the AI system's use has led to a breach of obligations intended to protect fundamental rights, even if no direct data breach occurred.

The event explicitly involves AI systems (biometric identification via facial recognition and fingerprint recognition) used in airport passenger processing. The regulatory sanction and suspension order stem from the improper handling of biometric data, which constitutes a violation of data protection laws and fundamental rights. The AI system's use directly led to legal harm (violation of rights and breach of obligations under applicable law). Although no physical harm or data breach is reported, the violation of privacy rights and legal obligations is a recognized form of harm under the framework. Hence, this is an AI Incident rather than a hazard or complementary information.

The event explicitly involves an AI system (facial recognition biometric identification) whose deployment led to a violation of legal obligations protecting fundamental rights (data protection and privacy). The harm here is a breach of obligations under applicable law intended to protect fundamental rights, specifically the GDPR requirements for data protection impact assessments and lawful processing of sensitive biometric data. Although no physical harm or data breach occurred, the regulatory sanction and suspension order reflect a recognized legal harm. Therefore, this qualifies as an AI Incident due to violation of rights caused by the AI system's use without proper compliance.

The event involves an AI system (facial recognition) used for passenger identification at airports. The sanction arises from the use of this AI system without fulfilling legal requirements, specifically the lack of a valid impact assessment under GDPR. While no direct physical harm or data breach occurred, the violation of data protection laws and the resulting fine and suspension represent a breach of fundamental rights related to personal data privacy. Therefore, this qualifies as an AI Incident due to the realized harm in terms of legal rights violations and operational disruption caused by the AI system's deployment without proper safeguards.

The event explicitly involves AI systems (facial recognition biometric systems) whose deployment led to a breach of legal obligations under data protection law, which protects fundamental rights. The fine and suspension are consequences of this violation. Although no direct physical harm or data breach occurred, the misuse of AI in processing sensitive biometric data without proper safeguards constitutes a violation of rights (harm category c). Hence, it meets the criteria for an AI Incident rather than a hazard or complementary information.

The event explicitly involves AI systems (facial recognition biometric systems) whose deployment led to a regulatory penalty for failing to comply with legal requirements protecting personal data and privacy rights. This constitutes a violation of fundamental rights as per the GDPR and national data protection laws. Although no direct physical harm or data breach occurred, the infringement of data protection rights is a recognized harm under the framework. Therefore, this qualifies as an AI Incident due to the AI system's use causing a breach of obligations intended to protect fundamental rights.

The facial recognition system is an AI system processing biometric data for identification. The use of this system without a proper Data Protection Impact Assessment and without meeting GDPR requirements constitutes a breach of fundamental rights and legal obligations protecting personal data. The regulatory fine and suspension reflect the seriousness of the violation. The event involves realized harm in terms of violation of rights and legal frameworks, not just potential harm. Therefore, it qualifies as an AI Incident due to the direct involvement of an AI system causing a breach of fundamental rights and legal obligations.

The event explicitly involves an AI system (facial recognition biometric system) used by Aena. The system's deployment led to a legal finding of violation of data protection laws and fundamental rights, which is a breach of obligations under applicable law protecting fundamental rights. The harm is realized as the regulator imposed a fine and suspension due to the system's design and use causing unlawful processing of sensitive biometric data. This meets the criteria for an AI Incident because the AI system's use directly led to a violation of rights and legal obligations, constituting harm. The event is not merely a potential risk or a complementary update but a concrete incident with regulatory consequences.

The event explicitly involves an AI system (facial recognition biometric system) whose deployment without a valid impact assessment violates GDPR requirements, constituting a breach of fundamental rights and legal obligations. The system's use without proper risk evaluation and proportionality analysis is a misuse of AI technology handling sensitive data. Although no direct physical harm or data breach occurred, the violation of data protection laws and fundamental rights classifies this as an AI Incident under the framework, as the AI system's use has directly led to a legal rights violation and regulatory sanction.

The event explicitly involves an AI system (facial recognition) used for biometric processing. The sanction arises from the use of this AI system without proper legal compliance (lack of valid impact assessment), which is a breach of data protection laws (RGPD). This breach constitutes a violation of fundamental rights (privacy and data protection). Although no direct harm like data breaches or physical injury occurred, the legal violation itself is a recognized harm under the framework. Therefore, this qualifies as an AI Incident due to the AI system's use leading to a breach of obligations under applicable law protecting fundamental rights.

The event explicitly involves AI systems (facial recognition biometric systems) whose deployment led to a legal sanction for failing to comply with GDPR impact assessment requirements. This is a violation of applicable law protecting fundamental rights (privacy and data protection). The fine and suspension indicate that harm in terms of legal rights violation has occurred. Although no data breach or direct harm to health or property is reported, the breach of data protection law and suspension of biometric data processing qualify as an AI Incident under the definition of violations of human rights or breach of obligations under applicable law. The AI system's use directly led to this legal violation and sanction.

The facial recognition system qualifies as an AI system because it processes biometric data to identify individuals, which involves AI-based pattern recognition. The sanction arises from the system's use without adequate prior impact assessment and failure to meet legal standards, constituting a violation of data protection rights (a breach of obligations under applicable law protecting fundamental rights). Although no direct physical harm or data breach occurred, the regulatory penalty confirms that harm to rights has materialized. Hence, this is an AI Incident rather than a hazard or complementary information.

The facial recognition system is an AI system processing biometric data. The AEPD's fine and suspension indicate that the system's deployment violated legal requirements protecting fundamental rights, specifically the GDPR's data protection impact assessment obligations. This constitutes a breach of obligations intended to protect fundamental rights, fulfilling the criteria for an AI Incident. The harm is realized in terms of legal violations and risks to individuals' rights, not merely potential or future harm. Therefore, the event is classified as an AI Incident.

The facial recognition system is an AI system processing biometric data. The failure to conduct a proper impact assessment and the subsequent regulatory sanction represent a violation of legal obligations protecting fundamental rights (privacy and data protection). This fits the definition of an AI Incident under category (c) - violations of human rights or breach of obligations under applicable law intended to protect fundamental rights. The harm is realized as the regulatory authority has imposed a fine and suspended the system's operation, indicating the infringement has materialized. There is no indication that the article is about potential future harm (hazard) or merely complementary information about AI developments or responses. Therefore, the classification is AI Incident.

The article explicitly mentions the use of facial recognition AI systems for biometric data processing, confirming AI system involvement. The event stems from the use of these AI systems and regulatory non-compliance rather than malfunction or misuse causing harm. No direct or indirect harm to persons, communities, or rights is reported; the fine is due to procedural non-compliance (lack of valid impact assessment). The suspension order is a preventive measure, not a response to an incident. Thus, the event does not meet the criteria for an AI Incident or AI Hazard but fits the definition of Complementary Information as it details a governance response and regulatory enforcement related to AI use.

The event involves the use of an AI system (facial recognition biometric system) that processes sensitive personal data. The regulatory authority (AEPD) has found that Aena failed to conduct a proper data protection impact assessment as required by GDPR, which is a legal framework protecting fundamental rights. This failure constitutes a violation of human rights protections related to privacy and data protection. Although no direct data breach or harm to individuals has been reported, the legal violation itself is a recognized harm under the framework. The temporary suspension of the facial recognition system further indicates the seriousness of the issue. Hence, this is an AI Incident due to the breach of legal obligations protecting fundamental rights caused by the use of an AI system.

The biometric boarding system is an AI system processing biometric data. The fine relates to alleged failure to properly conduct data protection impact assessments, a formal compliance issue. Aena denies any data breach or misuse, and no harm to individuals is reported. The event centers on a regulatory penalty and the company's intention to appeal, which is a governance/legal response to AI system deployment. This fits the definition of Complementary Information, as it provides context on societal and legal responses to AI use without describing a new incident or hazard causing or plausibly causing harm.

The event clearly involves an AI system (facial recognition) and concerns its use and compliance with data protection laws. However, there is no indication that the AI system's use has directly or indirectly caused harm such as injury, rights violations, or community harm. The fine and suspension are due to procedural and compliance failures rather than an incident causing harm. Therefore, this is not an AI Incident. The event also does not describe a plausible future harm scenario beyond the regulatory concerns already addressed, so it is not an AI Hazard. Instead, it is a governance and regulatory response to AI deployment issues, providing complementary information about AI system oversight and enforcement.

The event explicitly involves AI systems (facial recognition biometric systems) and their deployment. However, the reported issue is a regulatory sanction for procedural non-compliance (lack of a valid impact assessment) rather than an incident causing harm. No injury, rights violation, or data breach has occurred according to the report. Therefore, this is not an AI Incident. Nor does it describe a plausible future harm scenario beyond regulatory concerns, so it is not an AI Hazard. The main focus is on the legal and governance response to AI deployment practices, making it Complementary Information.

The event explicitly involves an AI system (facial recognition) used by AENA. The issue arises from non-compliance with data protection regulations, specifically the lack of a valid impact assessment before deployment. There is no reported harm such as data breaches, misuse, or violations of rights resulting from the AI system's operation. The suspension of biometric data processing and the fine are regulatory actions addressing procedural shortcomings. Since no direct or indirect harm has occurred and no plausible future harm is indicated beyond the regulatory concern, this does not meet the criteria for an AI Incident or AI Hazard. Instead, it is a governance and regulatory response to AI deployment, fitting the definition of Complementary Information.

The event explicitly involves an AI system (facial recognition technology) used in a critical infrastructure setting (airports). The harm arises from the failure to comply with GDPR requirements, specifically the lack of a valid impact assessment, which is a breach of legal obligations protecting fundamental rights. The regulatory sanction and suspension of the system indicate that the AI system's use has directly led to a violation of rights under applicable law. Although no physical harm or data breach occurred, the infringement of data protection rights and the imposition of a historic fine demonstrate realized harm. Hence, this qualifies as an AI Incident rather than a hazard or complementary information.

The event explicitly involves an AI system (facial recognition) used for biometric boarding. The sanction is due to non-compliance with data protection impact assessment requirements, which is a legal and governance issue. No actual data breach or harm to individuals has occurred, as confirmed by Aena. The sanction and suspension are preventive and corrective measures. Therefore, the event does not describe realized harm (AI Incident) nor a plausible future harm scenario (AI Hazard), but rather a governance/legal response to AI deployment issues, fitting the definition of Complementary Information.

The facial recognition system qualifies as an AI system due to its biometric recognition capabilities. The sanction arises from Aena's failure to comply with legal obligations in data protection impact assessment, which is a governance and compliance issue. No direct or indirect harm from the AI system's operation is reported, and no plausible future harm is explicitly stated. The main focus is on the regulatory response and legal dispute, which fits the definition of Complementary Information rather than an Incident or Hazard.

The event explicitly involves an AI system (facial recognition biometric system) whose deployment has led to a legal sanction for non-compliance with data protection regulations, specifically the failure to perform a valid impact assessment and inadequate risk management. This non-compliance constitutes a breach of obligations intended to protect fundamental rights (privacy and data protection), fulfilling the criteria for an AI Incident under the framework. Although no direct data breach or physical harm occurred, the violation of legal protections and the imposition of a substantial fine demonstrate realized harm. The AI system's use is central to the incident, and the regulatory response confirms the seriousness of the harm related to AI deployment.

The event explicitly involves an AI system (facial recognition) used in airports, which processes biometric data—a category of special and high-risk data. The fine and suspension are due to the failure to conduct a valid impact assessment, which is a legal requirement to protect fundamental rights. This failure has led to a regulatory sanction and suspension, indicating harm in terms of violation of rights and breach of legal obligations. The AI system's deployment without adequate safeguards directly led to this harm. Hence, it meets the criteria for an AI Incident under violations of human rights and breach of applicable law protecting fundamental rights.

The facial recognition system qualifies as an AI system due to its biometric identification capabilities. The event involves the use of this AI system without fulfilling legal requirements designed to protect fundamental rights, specifically data protection and privacy rights under GDPR. However, the article states explicitly that no data breach or security incident has occurred, and no direct harm to individuals has been reported. The sanction is for non-compliance with legal obligations, which implies a risk of harm but not realized harm. Therefore, this event is best classified as an AI Hazard because the AI system's deployment without proper impact assessment could plausibly lead to violations of rights or other harms if continued, but no actual harm has yet materialized.

The event explicitly involves an AI system (facial recognition) used for biometric identification. The harm arises from the violation of data protection laws (GDPR) and the failure to conduct a required impact assessment, which is intended to prevent risks to individuals' rights and freedoms. This constitutes a breach of obligations under applicable law protecting fundamental rights, fulfilling the criteria for an AI Incident. Although no direct security breach or data leak occurred, the regulatory sanction reflects the seriousness of the rights violation. Hence, the event is not merely a potential hazard or complementary information but a realized incident involving AI misuse or non-compliance.

The article explicitly mentions the use of biometric identification AI systems (facial recognition) and the regulatory sanction due to privacy violations. However, it does not report any direct harm such as data breaches, misuse, or injury resulting from the AI system's malfunction or use. The focus is on legal compliance, data protection concerns, and the regulatory response, which fits the definition of Complementary Information. There is no indication that harm has occurred or that harm is imminent, so it is not an AI Incident or AI Hazard. The event is related to AI systems but primarily concerns governance and enforcement actions.

The event centers on the deployment of an AI-based facial recognition system without completing a required data protection impact assessment, a procedural failure under GDPR. While no direct harm (e.g., data breach or misuse) has occurred, the regulatory fine and suspension reflect recognition of the plausible risk of harm from this AI system's use. The AI system is explicitly involved, and the issue arises from its use and insufficient safeguards. Since the harm is potential and regulatory action is preventive, this fits the definition of an AI Hazard. It is not Complementary Information because the article focuses on the regulatory penalty and its implications, not on updates or responses to a prior incident. It is not an AI Incident because no realized harm has been reported. Therefore, the correct classification is AI Hazard.

The event explicitly involves an AI system (facial-recognition biometric boarding system) and concerns its use and legal compliance. Although the regulator imposed a large fine for inadequate risk assessment and legal groundwork, no actual harm such as data breaches, privacy violations, or other direct harms have been reported. The system is still operational, and the company disputes the fine. The main focus is on regulatory enforcement and legal compliance, which fits the definition of Complementary Information as it provides context on governance responses to AI use rather than reporting an AI Incident or AI Hazard.

Facial recognition is an AI system that processes biometric data to identify individuals. The event describes the use of this AI system in a way that violated data protection laws, specifically the failure to conduct a required impact assessment before deployment. This constitutes a breach of obligations under applicable law intended to protect fundamental rights, which fits the definition of an AI Incident. The fine and suspension of the system indicate that harm in the form of legal rights violations has occurred. There is no indication that the event is merely a potential risk (hazard) or a complementary update; it is a concrete incident involving AI misuse leading to legal harm.

The event explicitly involves an AI system (biometric boarding system) whose use has led to a regulatory finding of violations of data protection laws (a breach of obligations under applicable law protecting fundamental rights). The harm is indirect but materialized in the form of legal penalties and suspension of the system due to privacy and security concerns. The AI system's centralized storage of biometric data and insufficient informed consent processes constitute a breach of rights, fulfilling the criteria for an AI Incident. There is no indication that the event is merely a potential risk (hazard) or a complementary update; it is a concrete incident with regulatory consequences and recognized harm to rights.

The biometric boarding gates are AI systems processing sensitive biometric data, so AI system involvement is clear. The event stems from the use of these AI systems without completing a legally required data protection impact assessment, a development and use issue. The fine and shutdown order reflect a breach of legal obligations protecting fundamental rights (data privacy). However, the article does not report any actual harm to individuals or groups, such as data breaches, misuse, or physical harm. The operator claims informed consent was obtained, and the suspension is a regulatory response. Thus, the event is not an AI Incident (no realized harm) nor an AI Hazard (no plausible future harm described). Instead, it is a governance and regulatory update about AI system deployment and compliance, fitting the definition of Complementary Information.

The event explicitly involves an AI system (facial recognition biometric system) and concerns its use and regulatory compliance. The fine is due to failure to meet formal legal requirements (DPIA) and concerns about necessity and proportionality, which are governance issues. There is no evidence or claim of actual harm, data breach, or malfunction causing injury, rights violations, or other harms. The airport operator denies any security breach or harm. The event focuses on the imposition of a fine and the operator's intention to appeal, which is a governance/legal response. Thus, it fits the definition of Complementary Information, as it updates on societal and governance responses to AI deployment risks without reporting an AI Incident or AI Hazard.

The event explicitly involves an AI system (facial-recognition biometric system) and concerns its use and compliance with legal frameworks. The fine is due to failure to meet GDPR procedural requirements (DPIA), which is a breach of obligations intended to protect fundamental rights (privacy and data protection). Although no actual data breach or harm has occurred, the regulatory sanction reflects a violation of rights caused by the AI system's deployment without proper safeguards. Therefore, this qualifies as an AI Incident under category (c) - violations of human rights or breach of obligations under applicable law. It is not an AI Hazard because harm has already been recognized in the form of legal violation and sanction, and it is not merely complementary information or unrelated news.