Today, the Austrian NGO noyb, supported by the Chaos Computer Club (CCC), filed a lawsuit against Hamburg’s Data Protection Authority, which has been simply sitting on a complaint against PimEyes since July 2020, despite considering the company’s actions to be unlawful. Meanwhile, PimEyes continues to operate its unlawful business.

The complaint procedure was closed after more than five years with a decision in November 2025. The reason for the closure is the mere suspicion that any measures could not have been enforced.

This declaration of bankruptcy by the regulatory authority shows a serious enforcement deficit in data protection. Even in the case of obviously unlawful business models in the field of biometric mass surveillance, effective measures are not taken, nor are they even attempted. Since 2020, nothing has actually happened.

What does “PimEyes” do?

PimEyes is a shady company that has been based sometimes in Poland, the Seychelles, Belize, or Dubai. It constantly scans the Internet for faces, biometrically measures them, compares similarities, and links them to the places where they were found. This is a commercial misuse of biometric data.

PimEyes can show for any photo, where a similar face appears on the Internet. This opens up the potential to end anonymity outside the Internet.

While it is still possible to avoid online surveillance in part by using anonymization services or ad blockers, this biometric search for faces directly accesses our appearance, which is difficult to change or hide. Anyone who moves around in public spaces can be recognized by illegal facial recognition services like PimEyes: at any time, anywhere, and by any third party.

This means that there is an infrastructure that deeply interferes with the fundamental rights of many millions of people and opens the door to abuse, for example for stalking, intimidation or comprehensive behavioral analysis – of course without the knowledge and consent of those affected.

Supervision without any impact

The General Data Protection Regulation (GDPR), which is based on the EU Charter of Fundamental Rights, applies everywhere in Europe. It is not optional, not even in Hamburg.

“If regulatory authorities fail to act in the case of such clear legal violations, a dangerous precedent is set. The protection of fundamental rights becomes optional. But biometric mass surveillance must not prevail simply because its providers are betting on the authorities’ inaction,” says Matthias Marx, spokesperson for the CCC.

Matthias Marx is the claimant in the proceedings against the Hamburg data protection authority. His lawyer, Jonas Breyer, says: “It is worrying that the authority is not even attempting to take effective steps to enforce the GDPR – and that PimEyes is thus able to continue its clearly unlawful practices unhindered. The Hamburg supervisory authority is signalling once again that, even in the face of serious GDPR violations, it is sitting on its hands and inviting calculated breaches of the law.”

The CCC supports noyb’s lawsuit and calls for:

1. rigorous and cross-border enforcement of the GDPR,
2. real measures against all providers of biometric search engines and their service providers.

Whether PimEyes or other providers are based in the EU, the Seychelles, or elsewhere is irrelevant. Under the market location principle, the GDPR applies, and these services which process biometric data are also directed at people in the EU.

Illegal business practices that disregard the fundamental rights of millions must not be tolerated. Instead, authorities must take active measures against the providers.

The German government’s current plans for biometric mass surveillance show that years of official inaction against obiously unlawful facial recognition platforms not only allow these services to continue operating, but also normalize such practices to the point where they are now being used as a model for legislation that undermines fundamental rights. This must stop.

Links:

• No action taken against PimEyes: noyb lawsuit against Hamburg DPA