How does EchoDepth address EU AI Act requirements?

EchoDepth is designed for analyst-led use with human oversight, not automated emotion recognition for employment decisions. Defence and national security applications have specific provisions under the EU AI Act. Cavefish provides deployment-specific regulatory guidance and supports DPIA requirements.

What biometric data does EchoDepth process?

EchoDepth processes facial Action Unit data derived from video. Under UK GDPR, this constitutes special category biometric data requiring explicit consent or specific legal authority, a deployment-specific DPIA, and appropriate technical safeguards including pseudonymisation.

What human oversight is required for EchoDepth deployments?

EchoDepth is designed for analyst-led workflows. Trained human analysts must review and interpret behavioural signals within operational context. The system does not make security decisions or threat classifications — these remain human responsibilities.

AI Governance, Biometric Risk and Human Oversight

Regulatory Landscape

AI systems that process biometric data operate in an evolving regulatory environment. Key frameworks include:

UK GDPR — Biometric data is special category data requiring explicit consent or specific legal authority
EU AI Act — Emotion recognition systems face restrictions, with specific provisions for law enforcement and national security
UK AI Regulatory Framework — Proportionate, context-based approach with sector-specific guidance emerging
Defence and Security Standards — NCSC guidance, DSAT compliance, sector-specific requirements

EchoDepth Governance Design

EchoDepth is designed to support compliant deployment through:

Analyst-led architecture — Human oversight is built into the system design, not added as an afterthought
No automated decisions — The system provides signals, not classifications or decisions
Pseudonymisation by default — Technical safeguards for biometric data protection
Audit logging — Immutable records of system operation and analyst actions
On-premise deployment — Data sovereignty and control through local processing

Deployment Requirements

Cavefish does not deploy EchoDepth without appropriate governance structures in place:

Legal basis — Explicit consent from monitored individuals or specific legal authority
DPIA — Deployment-specific Data Protection Impact Assessment
DPA — Signed Data Processing Agreement
Human oversight — Defined analyst roles and escalation procedures
Governance structure — Clear accountability for deployment decisions

Biometric Risk Management

Biometric data processing carries inherent risks that must be managed:

False positives — Behavioural signals are indicators, not proof. Human interpretation is essential
Bias — Systems must be validated across demographic groups relevant to deployment context
Function creep — Clear boundaries on system use must be maintained
Data security — Biometric data requires appropriate protection throughout its lifecycle

EU AI Act and Emotion Recognition

The EU AI Act includes specific provisions for emotion recognition systems. Key points:

Emotion recognition in workplaces and education faces restrictions
Law enforcement and national security applications have specific provisions
Biometric categorisation (distinct from emotion recognition) has different requirements
Defence applications may fall under national security exemptions depending on context

EchoDepth is positioned as behavioural threat intelligence with human oversight, not automated emotion recognition. Cavefish provides deployment-specific guidance on regulatory positioning.

Request Information

Governance and compliance briefing

Guidance for legal, compliance, procurement and governance professionals. NDA available.

Request Governance Briefing Analyst-Led AI

AI Governance, Biometric Riskand Human Oversight