EU-banned Spanish surveillance tech monitors millions in India
A Spanish company that received millions in EU research funding is supplying facial recognition systems to Indian railways that would be illegal to operate inside Europe, exposing a regulatory double standard.
Herta Security, a Barcelona-based firm, has equipped over 4,000 cameras in India with facial recognition software. The technology monitors millions of daily commuters at major railway terminals, including Howrah station in Kolkata, as well as a Delhi prison complex and a pilgrimage site in Ayodhya.
These deployments would be unlawful if operated inside the European Union. Since February 2025, the EU AI Act has strictly prohibited real-time biometric identification in public spaces for law enforcement, barring narrow exceptions like tracking kidnapping victims. Yet the technology EU lawmakers deemed an unacceptable risk to their own citizens is actively scanning crowds abroad.
The export creates a dilemma for European policymakers. Despite the domestic ban, the EU has awarded Herta more than €3.3m in research funding since 2020 for projects involving crowd behaviour analysis and facial recognition.
Herta's flagship system, BioSurveillance NEXT, is built for mass deployment, advertising real-time searches against databases of up to 100 million subjects. In eastern India, railway police use it to cross-reference travellers against a watchlist of around one million people. Local partners note a single camera can scan 10,000 people in five minutes, triggering an armed police response upon a match. Because Delhi police have previously treated 80 percent similarity matches as positive identifications, legal experts worry about false arrests in a system with no public criteria for watchlist inclusion.
Four legal scholars specialising in EU biometrics law confirmed the Indian railway and Ahmedabad city-wide systems breach EU standards. Italian socialist MEP Brando Benifei said: "The fact that surveillance technologies banned in Europe are being exported and deployed elsewhere, such as in India's railway stations, exposes a dangerous double standard."
Herta stated its products are "developed in line with European data-protection principles, regardless of the market in which they are deployed." The company added it could not "control how public authorities or system integrators implement the technology in specific environments."