noyb Sues Hamburg DPA Over Inaction Against Facial Recognition Engine PimEyes
Key Takeaways
- ▸noyb sued Hamburg DPA for failing to enforce GDPR against PimEyes despite admitting the facial recognition engine's practices are unlawful
- ▸PimEyes has collected billions of biometric images from the internet without consent, operating a searchable facial recognition database available to anyone for a fee
- ▸The Hamburg DPA refused enforcement citing PimEyes' claimed non-EU jurisdiction, despite five years to investigate and despite the company's changing jurisdictional claims
Summary
Privacy advocacy group noyb has filed a lawsuit against Hamburg's data protection authority (DPA), claiming the regulator has failed to take effective action against PimEyes, a facial recognition search engine that systematically extracts and indexes billions of biometric images without consent. Despite concluding that PimEyes' practices violate GDPR, the DPA refused to enforce compliance, citing the company's claimed Dubai headquarters as justification for inaction. The lawsuit represents a major escalation in efforts to hold both tech companies and regulators accountable for facial recognition abuses.
PimEyes operates a searchable database of billions of images scraped from the internet, allowing users to upload photos and identify individuals through facial recognition matching. The company charges fees for premium access to detailed matching results and source links. A complaint against PimEyes was first filed with the Hamburg DPA in July 2020, but the authority took over five years to reach a decision—only to decline enforcement after concluding the practices were unlawful. Throughout the proceedings, PimEyes claimed different jurisdictions (Poland, Seychelles, Belize, and finally Dubai), yet the DPA never verified these claims and ultimately used the jurisdictional questions as grounds to avoid action.
Noyb argues the DPA has effective enforcement tools available even for non-EU companies, including freezing European funds, requiring service providers to delete data, and targeting company management. The lawsuit seeks to force the authority to reconsider the original complaint and take concrete measures. The case highlights a critical enforcement gap in GDPR: when regulators defer to jurisdictional questions, sophisticated operators can effectively evade accountability.
- The lawsuit exposes a regulatory enforcement gap: companies can evade GDPR accountability by claiming non-EU status, even when operating freely in European markets
