No action taken against PimEyes: noyb lawsuit against Hamburg DPA
noyb sues Hamburg DPA for inaction against PimEyes facial recognition engine collecting billions of biometric data.
Summary
Privacy advocate noyb has filed a lawsuit against the Hamburg Data Protection Authority, alleging the DPA refuses to enforce GDPR against PimEyes, a facial recognition search engine that systematically collects and sells access to billions of biometric images without consent. Although the Hamburg DPA itself acknowledges PimEyes' practices are unlawful, it claims it cannot act because the company appears to be based outside the EU (citing Dubai, after the company previously claimed locations in Poland, Seychelles, and Belize). noyb argues the DPA has other enforcement tools available—such as freezing European funds or compelling service providers to delete data—and that the five-year inaction signals weak GDPR enforcement.
Full text
National Administrative Procedures and DPA inactivity / 30 April 2026 Today, noyb has filed a lawsuit against the Hamburg data protection authority (DPA). While the authority considers the practices of the facial recognition search engine PimEyes to be illegal, it refuses to take effective action because the company seems to be based in Dubai. PimEyes systematically extracts biometric data from images on the internet and uses it to build up a database. Users can upload photos of people to this website to find further images of the same person via facial recognition. The claimant had originally filed a complaint against PimEyes with the Hamburg DPA in July 2020. Complaints procedure C042Background on PimEyes. PimEyes continuously scans the internet to collect faces in a database. The company has already collected billions of images, which are used for its facial recognition search engine. On its website, anyone can identify other people by uploading a photo of them. You are then shown further images of the same person, including links to the sources. For a fee, you can access further details, such as the probability that it is the same person. The technology behind this is based on facial recognition – and thus on the analysis of biometric data. In this respect, PimEyes operates in a similar way to the US company Clearview AI, which has already incurred fines running into millions due to its GDPR violations.Max Schrems, Chairman of noyb: “The unchecked spread of facial recognition tools such as PimEyes is disastrous for privacy: stalking and mass surveillance of millions of people can be carried out in a matter of seconds. PimEyes has amassed billions of pieces of biometric data from innocent people without their knowledge and makes this data available to everyone. This mass surveillance of private individuals is clearly unlawful – and the Hamburg authority also sees it this way.”Years of waiting for an “information letter”. An affected individual had therefore already lodged a complaint against PimEyes back in July 2020. The Hamburg data protection authority responsible for this case took more than five years to reach a decision. However, whilst the authority assumes that PimEyes acted unlawfully and should have responded to the complainant’s access and deletion request, it has taken no action: the DPA claims that, apart from sending an ‘information letter’ to the company, it doesn’t need to take any concrete measures to prevent a continued breach of law. The reasoning: PimEyes is based in Dubai and does not respond to enquiries.Throughout the five years of the proceedings, PimEyes claims to have been based in Poland, the Seychelles and Belize – yet the Hamburg authorities apparently never verified whether the changing locations on the website were in fact accurate. Now, however, they are being used as a justification for taking no action.Jonas Breyer, the plaintiff's lawyer: "It is worrying that the authority is not even attempting to take effective steps to enforce the GDPR – and that PimEyes is thus able to continue its clearly unlawful practices unhindered. The Hamburg supervisory authority is signalling once again that, even in the face of serious GDPR violations, it is sitting on its hands and inviting calculated breaches of the law.”Legal action against the authority. The claimant believes that the Hamburg Data Protection Authority should take effective action against PimEyes, which is also possible in the case of data controllers from third countries. This could involve freezing funds in Europe, requiring PimEyes’ service providers to delete data, or imposing measures directly against the Georgian managing director. Should the lawsuit be successful, the authority would have to reconsider the original complaint and would likely have to take measures that provide effective relief.Felix Mikolasch, data protection lawyer at noyb: “Instead of relying on the contact details on the PimEyes website to stop working on the case, the Hamburg supervisory authority should take effective action against the company. It cannot simply end its work because it speculates that the measures might be fruitless. This possibility can never be completely ruled out. Other authorities have also imposed fines on the comparable US company Clearview AI.”The claimant is represented by Jonas Breyer of Breyer Legal. noyb represented the claimant in the proceedings before the Hamburg Data Protection Authority and supports the claim. This case is also supported by the Chaos Computer Club.