About Exporting SurveillanceEurope has some of the world's strictest rules on facial recognition. But the companies building the technology are European, and their clients are often abroad. From Brazilian classrooms to urban monitoring systems across the Global South, Investigate Europe traces how EU-made biometric tools are exported with fewer restrictions.
This story was produced in partnership with the Pulitzer Center’s AI Accountability Network.At Howrah station in Kolkata, the trains never really stop, and neither do the cameras. One of India's busiest railway terminals, around a million people pour through it every day, with crowds so dense that following a single face can be near impossible, at least with the human eye.Yet mounted high above the entrance and exit gates, platforms, food courts and waiting rooms, around 100 live facial recognition cameras silently keep track. The system, installed in the past year, lifts faces from the live feed and cross-checks them against a database of photos: wanted offenders, criminal suspects, missing people. A match alerts railway police to the exact spot a person was seen, and authorises police to approach them.Some commuters seem unaware that they are being surveilled in this way. Barnali Biswas, a private sector employee who passes through six days a week, was unbothered when questioned by a reporter, saying she thought it was probably good for safety. "People with nothing to do with crime had nothing to fear," she said.
This kind of camera, enabled with facial recognition software, is increasingly familiar across India. And in eastern India, one supplier of that software is the Spanish firm Herta Security. According to local partners and company documents, Herta supplies hundreds of railway stations across the region, Delhi's largest prison complex, a pilgrimage site in Ayodhya, and the city control rooms of Ahmedabad. 
Train stations like Howrah in Eastern India are rolloing out facial recognition cameras to track citizens.Credit: Shutterstock
Herta confirmed the use of its technology in India but in a written statement said that it would "not disclose confidential customer information". Its software may also be deployed at Howrah station itself, though local railway officials would not confirm this when asked.
A source at one of Herta's Indian partners told Investigate Europe that they estimated that more than 4,000 cameras across the world’s largest democracy are now powered by the Spanish firm’s technology.
At least part of that rollout is linked to the Nirbhaya Fund, a pot of public money created to tackle sexual violence after a shocking 2012 Delhi bus gang rape. Women’s rights groups in India argue the millions of euros earmarked for the fund have been spent on mass surveillance rather than on more direct victim protection and support.
According to four leading legal scholars who specialise in EU artificial intelligence and biometrics law, two of these deployments would be deemed unlawful if they operated inside the European Union: the system on Indian Railways' Eastern Region and a city-wide surveillance programme in Ahmedabad.
Herta said it took such concerns seriously, adding that its products are “developed in line with European data-protection principles, regardless of the market in which they are deployed.” However the company said that it could not "control how public authorities or system integrators implement the technology in specific environments".
Italian Member of the European Parliament Brando Benifei, however, said the findings raised troubling questions for European lawmakers.
“The fact that surveillance technologies banned in Europe are being exported and deployed elsewhere, such as in India's railway stations, exposes a dangerous double standard.”
— Brando Benifei
While the EU has heavily restricted similar surveillance on its own citizens, Investigate Europe has found that it funded the Spanish company to develop its technology. Since 2020, Herta has received more than €3.3 million in EU research funding for projects involving "crowd behaviour analysis" and facial recognition.Surveillance made in Spain
Herta Security was founded in Barcelona in 2009 by former Bosch employee Javier Rodríguez Saeta, a specialist in biometrics – automated identification based on people’s physical features or behaviour. "Back in 2005," Rodríguez would later recall in a 2019 interview, "I already thought that in the future it would be necessary to identify people who did not want to be identified."Today the company's flagship product, BioSurveillance NEXT, is designed for what its own marketing materials describe as crowd-scale deployment. Rodríguez has spoken of using it for "demonstrations, sports races, religious gatherings and airports". The data sheet advertises real-time searches against databases of up to 100 million subjects.The technology is underpinned by graphics-processing units, the same chips that power most current artificial intelligence and accelerate facial recognition so it can be performed in real time. In 2015, AI chipmaker Nvidia recognised Herta as a top emerging company in the sector. By 2019, Herta claimed to have amassed more than 200 clients across 50 countries.The market Herta serves has expanded rapidly in recent years. Such technology is now used at sports stadiums in the United States, by police forces in the United Kingdom and has also been trialled by police forces across the EU.However, the technology is heavily restricted in Europe. Since 2025, the EU AI Act has largely prohibited the use of real-time remote biometric identification systems, above all facial recognition, in public spaces for law enforcement purposes. Those drafting the law identified this as one of the few uses of AI they considered unacceptable.The ban allows three narrow exceptions: targeted searches for victims of trafficking, sexual exploitation or kidnapping, or missing persons; the prevention of a specific, imminent terrorist threat; and the identification of suspects of a closed list of serious crimes including terrorism, murder and rape. Even then, each individual use must be authorised by a judge in advance and logged in an EU database. 
Credit: Joanna Poupaki/Spoovio
Herta has a track record of working with clients beyond EU borders. In a marketing presentation from 2021 and seen by Investigate Europe, Herta lists several projects.These include city-wide surveillance schemes known as "safe-city projects" in Jamaica, Thailand and Mumbai in India. Other uses of its software include police forces in Colombia and Indonesia; football stadiums in Belarus and Russia and airports in Mexico, Nicaragua and Nigeria. It is not clear whether these partnerships are still active today.Herta’s software has also been used in Europe. Notably, the company’s technology was trialled by the German Federal Police in 2017 and 2018 at a Berlin train station.In 2019, Rodríguez was asked about the risk that Herta’s products might be misused. "In Europe," he said, "we are very well protected, we have very clear legislation that sets out the uses of this technology. There's nothing to fear." At that time, the EU-wide ban on real-time facial recognition in public spaces was not in place. The AI Act’s prohibition only took effect in February 2025. He did not address the protections available to citizens in his other markets such as India, where similar strict legislation is absent. 
The Estadio Centenario in Montevideo, Uruguay is believed to be among dozens of global locations where Herta software has been used.Credit: Shutterstock
The Indian portfolio: Railways, prisons and temples
Herta's expansion into India has unfolded over a decade. Around 2014, the company supplied four or five cameras for the Mumbai Safe City project, according to a local business partner.A former senior researcher at Herta, who asked to remain anonymous, said that the data Herta acquired through its early Indian deployments was central to overcoming problems with the algorithm's poor performance on non-white faces.Herta told Investigate Europe that it "does not use customer operational data from deployments as a default mechanism to train or improve its algorithms". Any use of personal or biometric data for algorithmic training "would require a clear legal basis". The real breakthrough came eight years later. In 2022, a Delhi-based company won an €11.5 million tender contract for a video surveillance system covering hundreds of train stations in eastern India. The facial recognition layer of the system runs on Herta software.Eastern Railway announced last year that 540 facial recognition systems were operational at 143 stations. The full plan covers 392 stations, among them some of the largest stations in the region. Herta’s local partners said that the systems could be fitted in more than 1,500 cameras in the future.Authorities regularly cross-reference faces against a watchlist of people of interest. It is not clear what criteria are used to list people, but one of Herta’s local business partners said there were around one million subjects on the watchlist.The scale of the system is unlike anything available in Europe, they added. "On the busiest station, if I just implement one camera, you run 10,000 people in five minutes." If the system returns a match, an alert is sent to an armed police force authorised to stop them, they claimed.In 2022, Delhi Police said it treated facial recognition matches at 80 per cent similarity as positive identifications. With millions of travellers, even a small error rate is not insignificant. Significantly, the watchlist data is not public, nor are the criteria for inclusion, and there is no route to contest a false match.“On the busiest station, if I just implement one camera, you run 10,000 people in five minutes.”
— A Herta partner in India
Herta’s presence on the Indian rail network is not confined to the Eastern Region. Under a programme run by the Railway Land Development Authority, which modernises stations nationwide, Herta’s software has reached terminals as far as Jaipur and Secunderabad, according to Herta’s local partner.
Its software also runs facial recognition systems across three of Delhi's prison complexes: Tihar, Mandoli and Rohini, the local partner claimed. The government contract for the deployment is reportedly worth 352 million rupees (€3.2 million).
The system is not confined to public or state infrastructure. It also runs at the Ram Mandir temple in Ayodhya, where the local partner claims that the surveillance system alerts local police when individuals on a watchlist are identified. Similar deployments at two other temples are in progress, they added.
Herta also operates in the context of safe-city programmes. In a marketing presentation obtained by Investigate Europe, the company claimed to have deployed 140 facial recognition cameras in Ahmedabad, and lists further deployments in several other cities.
Investigate Europe sought comments regarding the deployments by Eastern Railway, the authority implementing the Safe City Ahmedabad project, and the authorities responsible for managing Delhi’s prisons. All enquiries went unanswered.

The Safe City project in Ahmedabad is also deploying Herta software.Credit: Shutterstock
A rape and its consequences
Herta’s expansion in India is apparently linked to a policy shift triggered by an infamous rape case. In December 2012, a young physiotherapy student, boarded a private bus in Delhi with a male friend after watching a film in the local cinema. Unknown to them, the bus was off-duty. Its driver and five other men had stopped to pick the two of them up under the pretence of carrying passengers.Over an hour, the six men beat her friend, gang-raped her, and threw both of them, seriously injured, from the bus. She died of her injuries two weeks later. The case triggered widespread protests across India and forced a national debate about gender violence, public safety and the state’s failure to protect women.In 2013, the government announced a new fund. Civil society groups that campaigned in the wake of the case had asked for victim support, legal aid and shelter networks, recalled a human rights lawyer involved in the discussion at the time.The initial commitment of 10 billion rupees (€92 million) was for "the empowerment, safety and security of women and girl children". The fund came to be known by the same unofficial name the Indian press had given the young woman: Nirbhaya, meaning fearless.Over the years, the Indian government allocated more money towards the fund. By March 2025 around 58 billion rupees (€532 million) had been disbursed. Indian government data published in February 2024 showed that roughly 50 per cent went to surveillance and policing functions, versus 31 per cent for direct victim support services and emergency helplines.Some argue these new surveillance systems have not made women significantly safer. In 2014, the year after the Nirbhaya Fund was established, 340,000 crimes against women in India were reported by the National Crime Records Bureau. By 2023, the most recent year for which data is available, that figure had risen by roughly a third to 450,000.Flavia Agnes, a Mumbai-based lawyer who estimates she has worked on around 100,000 cases of violence against women over a 40-year career, said the design of the response to the national outcry was wrong from the start. .jpg&w=3840&q=75)
Credit: Joanna Poupaki/Spoovio
"I have not come across cases where this kind of surveillance has helped to identify the accused," she said. Most violence against women in India does not happen in the places the cameras can see like train stations, she explains, but in the home. "About 95 per cent of the rape cases take place by known people."
Audrey D'Mello, who directs a centre providing legal aid to survivors of violence in Mumbai, has not seen evidence of the surveillance working in her field. The infrastructure built in the name of women's safety, she said, has rarely been about women's safety. She is more cynical about the government’s project. "They also realised," she said, "that it's easier to push in the name of women."
There is no direct evidence suggesting that the use of surveillance cameras in public spaces have not increased women’s safety in the country.
The Indian Ministry of Women and Child Development, which oversees the Nirbhaya Fund, did not respond to requests for comment.
Prohibited in the EU, deployed abroad
Four scholars who work on EU artificial intelligence and biometrics law said the deployments in the Indian Railways Eastern Region and the Safe City Ahmedabad programme would be unlawful in the EU.
"Such a deployment in an EU member state would quite clearly violate" the EU’s AI Act, said Rita Matulionyte from Macquarie Law School in Sydney.
Catherine Jasserand, of KU Leuven in Belgium, reached the same conclusion. "I don't think these two cases constitute good examples of the live use of facial recognition technology by police in public spaces."
"The two deployments are too broad to fall under one of the exceptions," she said, referring to the carve-outs for searches for vulnerable people, terror threats and suspects of serious crimes.
Even under those exceptions, EU law requires it first to pass a national statute authorising the practice, with detailed rules on supervision, reporting and judicial control. Spain, where Herta is based, has passed no such law, meaning the company could not legally run the system at home as in India.
.jpg&w=3840&q=75)
Credit: Joanna Poupaki/Spoovio
India's own legal framework offers no comparable protection. India has no comprehensive data protection law in force, and what it has passed exempts policing and law enforcement so broadly that deployments like these remain effectively unregulated."India is definitely one of the leading adopters of facial recognition technology in the world without any safeguards," said Apar Gupta, a Delhi-based digital rights lawyer and founder of the Internet Freedom Foundation.EU-funded crowd control
Herta has received EU public money to develop the kind of technology that it sells in India. According to analysis by Investigate Europe, the company has received at least €3 million in EU research funding over the past five years, with further support from Spanish national programmes. The largest single grant, worth €2.36 million between 2022 and 2024, supported a Herta project called FUTURE.The technology developed under the project was, according to Herta, designed to perform "crowd behaviour analysis to identify abnormal activities and potential threats in large gatherings, public events, and high-traffic areas".A separate page on the project's website, since taken down but preserved in web archives, described its facial recognition layer as a tool for law enforcement agencies "to swiftly and accurately identify suspects and terrorists".The use case described by Herta – real-time identification of suspects in crowded public spaces – is precisely the scenario the EU largely prohibited on its own soil soon after the FUTURE project ended. However, it is a blueprint it appears to be adopting in India."As with many technology companies, knowledge gained through research projects may contribute to the general evolution of our expertise, methodologies and product roadmap," a Herta spokesperson said."However, EU research funding is not used to finance, operate or subsidise specific commercial deployments in India or elsewhere."The European Commission did not respond to requests for comment by the time of publication.Italian MEP Brando Benifei led negotiations for the European Parliament in finalising the AI Act. While the use of such facial recognition technology is now largely banned at home, Benifei believes the law must go further and prevent exports outside the EU altogether. "The European Union cannot claim to be a global champion of digital rights if we allow our companies to profit abroad from tools deemed too dangerous for European citizens," he said. "We should find arrangements to not allow the export and use abroad of systems we would not permit at home."------Editors: Ella Joyner, Mei-Ling McNamara Additional reporting: Snigdhendu Bhattacharya and Shivnarayan RajpurohitThis story was supported by the Pulitzer Center’s AI Accountability Network. It is published with media partners including Computer Weekly (UK), EUObserver (Belgium), InfoLibre (Spain), Tech Policy Press (US) and The Reporters’ Collective (India).