<![CDATA[The implementation of AI-based FRT creates a fundamental conflict between security innovation and the protection of the human right to personal data. This research aims to (1) analyze the fundamental juridical-ethical challenges of AI-based identity systems; (2) examine the effectiveness and limitations of the GDPR (European Union) and the PDP Law (Indonesia) in responding to these risks; and (3) formulate recommendations for an adaptive regulatory framework. This research employs a normative legal research method, utilizing critical-comparative and prescriptive approaches. The analysis reveals two main findings. First, FRT presents unique systemic risks. These risks include discriminatory algorithmic bias, the normalization of mass surveillance, and an accountability crisis resulting from its “black-box” nature. These risks cannot be mitigated by conventional legal frameworks for privacy. Second, critical analysis proves that the GDPR and the PDP Law, as lex generalis instruments, are normatively and practically insufficient in regulating the specific and predictive dynamics of AI technology. This limitation creates a significant rechtsvacuüm, wherein technology adoption operates without adequate juridical oversight. Therefore, this research concludes that reliance on these two regulations is no longer sufficient. This research recommends a shift in Indonesia’s regulatory paradigm. The prescriptive solution proposed is the adoption of a lex specialis (derivative regulation) framework that is proactive, preventive, and adopts a risk-based approach. This framework is essential to ensure that AI innovation remains aligned with the principles of data protection and human dignity.]]>
