German regulator sits on hands as facial recognition tool PimEyes amasses billions of faces
The Austrian privacy advocacy group noyb has launched legal action against Hamburg’s data protection authority (DPA), arguing that the regulator fails to enforce European privacy laws against PimEyes’s controversial facial recognition services.
PimEyes is a facial recognition search engine that allows users to find images of a person online by uploading a photo.
According to noyb, PimEyes continuously scans the internet to collect faces for its database, which contains billions of images.
Critics say the tool enables mass surveillance and can be misused for stalking or harassment. That’s why, back in July 2020, a person lodged a complaint against PimEyes for collecting biometric data without his consent.
After five years, the Hamburg DPA concluded that PimEyes’ processing of biometric data may be unlawful under the EU’s General Data Protection Regulation (GDPR). However, the regulator decided not to act against the company because it’s based in Dubai and doesn’t respond to inquiries.
After failing to act against PimEyes, noyb filed a lawsuit against Hamburg’s DPA. The privacy organization argues that once a violation is identified, regulators are legally required to act. This could involve freezing funds in Europe, requiring PimEyes’ service providers to delete data, or imposing measures directly against the managing director.
“The unchecked spread of facial recognition tools such as PimEyes is disastrous for privacy: stalking and mass surveillance of millions of people can be carried out in a matter of seconds. PimEyes has amassed billions of pieces of biometric data from innocent people without their knowledge and makes this data available to everyone. This mass surveillance of private individuals is clearly unlawful, and the Hamburg authority also sees it this way,” noyb Chairman Max Schrems states.
Check if your data has been leaked
Jonas Breyer, noyb’s lawyer, is surprised that the German privacy supervisor hasn’t done anything to put a stop to PimEyes’ illegal data collection practices.
“It is worrying that the authority is not even attempting to take effective steps to enforce the GDPR, and that PimEyes is thus able to continue its clearly unlawful practices unhindered. The Hamburg supervisory authority is signaling once again that, even in the face of serious GDPR violations, it is sitting on its hands and inviting calculated breaches of the law,” he says.
Should the lawsuit be successful, the Hamburg DPA would have to reconsider the original complaint from 2020 and would likely have to take measures against PimEyes.
Unlock more exclusive Cybernews content on YouTube.
