alt text
alt text

Login as existing user

Get started free
  • Blog
  • German Data Protection Authority Begins Prosecuting PimEyes Face Search Engine
Categories

German Regulator Targets PimEyes' Face Search

Simon Coulthard December 29, 2022

2-minute read
GDPR & Data Privacy Regulations

Dr. Stefan Brink, the State Commissioner for Data Protection and Freedom of Information, has opened proceedings against PimEyes - a result of the company’s use of facial recognition technology, as well as its face databases and personal profiles.

Users have suffered from a loss of anonymity, which drew the attention of data protection officials.

The company scans "masses of faces on the Internet for individual characteristics", according to research by netzpolitik.org, and maintains biometric data (i.e., personal traits like facial shape, eye color, or the distance from mouth to nose) with which everyone can be precisely recognized. 

These concerns started in May 2021, after which several procedures were followed to check if the company complies with data protection laws.

Read more about this topic on the State Commissioner for Data Protection and Freedom of Information website.

How PimEyes Disobeys Data Privacy Law

Because PimEyes is used globally, it is reasonable to assume that the company processes personal data from European users, meaning that it sits within the scope of the General Data Protection Regulation (GDPR).

This law forbids the use of biometric information for identifying human beings, yet the company database has been accessible for users anywhere in the world.

The State Commissioner is still unclear about how the corporation uses this data.

You can submit a photo of a person to find out where else on the internet that person's face is already present, such as on social media, own website, or in the public cloud. In the state commissioner's opinion, it is still unclear how the corporation uses this data.

PimEyes has been requested to provide details on the data that the business processes by the State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink. In order to accomplish this, the state commissioner has sent the business a lengthy list of inquiries.

The state commissioner received a statement from PimEyes on November 1, 2022, in which the firm discusses the legal justification for using biometric data to identify people, technological and organizational measures (TOMs), and safeguards against data misuse.

The company enables its users to submit a photo of a person, and they will then be given links to wherever this person has been photoed elsewhere online - be it on social media, websites, or in the public cloud.

PimEyes claims in its statement that it only analyzes photographs that are made available to the public and that it is unable to identify owners. Therefore, there is no personal reference at all for the data recorded by PimEyes, and no processing of personal data occurs. 

The state commissioner vehemently disagrees with these claims due to the grave danger posed to people’s rights and liberties by the company’s actions.

 

PimEyes’ Disregard for Data Privacy Laws

The state commissioner has initiated fine proceedings against PimEyes due to the company's apparent disregard for data privacy laws and serious shortcomings in technological and organizational safeguards.

Every image of a person that can be used to identify them or that depicts them represents personal data. For the processing of such pictures, a legal foundation in accordance with Article 6 DS-GVO is necessary. 

Special categories of personal data are handled when biometric data is additionally used to unambiguously identify a natural person (biometric facial recognition). Article 9 of the GDPR generally forbids this kind of processing. 

More and more businesses are thinking about implementing systems that process biometric data for authorization or security (e.g. access control, monitoring of worked hours, and building security). 

Depending on the context, the use of biometric data may improve user comfort, operational efficiency, and security. However, the use of such systems is considered highly intrusive to privacy, and the GDPR only allows for a limited number of such operations to be carried out in practice. 

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security

Categories
You might also like
Why You Don't Actually Need a Cookie Banner
Why cookie banners aren't necessary
05 April 2024 - by Simon Coulthard
Why You Don't Actually Need a Cookie Banner
What is GDPR. Implications of GDPR on Marketers
what-is-gdpr-implications-of-gdpr-on-marketers.jpg
09 February 2022
What is GDPR. Implications of GDPR on Marketers
Cookieless Tracking - the Privacy-First Solution to Website Analytics
cookieless-tracking-the-privacy-first-solution-to-website-analytics.jpg
17 March 2023
Cookieless Tracking - the Privacy-First Solution to Website Analytics
mail-insigh.svg

Insights to Your Inbox

Receive a monthly summary of website intelligence news, advice, and also product updates. And don't worry, we won't tell sales!

SUBSCRIBE

Read next

SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR
SCHUFA - GDPR - Court Decisionn
11 December 2023 - by Simon Coulthard
SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR
Meta's 2024 Twist: Facebook Subscription with Opt-Out Tracking Charges
Facebook Subscription - Meta Charging Users Who Want Their Privacy Rights - TWIPLA Website Intelligence
23 October 2023 - by Simon Coulthard
Meta's 2024 Twist: Facebook Subscription with Opt-Out Tracking Charges
23andMe Privacy Mess: Hacker Steals Millions of Profiles
23andMe privacy - customer profiles available on Dark Web - TWIPLA Website Intelligence blog
16 October 2023 - by Simon Coulthard
23andMe Privacy Mess: Hacker Steals Millions of Profiles
German Data Privacy Laws: Why They’re So Uncompromising
German data privacy laws - why privacy matters in Germany - TWIPLA website intelligence
05 October 2023 - by Simon Coulthard
German Data Privacy Laws: Why They’re So Uncompromising
up-arrow.svg