The company enables its users to submit a photo of a person, and they will then be given links to wherever this person has been photoed elsewhere online - be it on social media, websites, or in the public cloud.
PimEyes claims in its statement that it only analyzes photographs that are made available to the public and that it is unable to identify owners. Therefore, there is no personal reference at all for the data recorded by PimEyes, and no processing of personal data occurs.
The state commissioner vehemently disagrees with these claims due to the grave danger posed to people’s rights and liberties by the company’s actions.
PimEyes’ Disregard for Data Privacy Laws
The state commissioner has initiated fine proceedings against PimEyes due to the company's apparent disregard for data privacy laws and serious shortcomings in technological and organizational safeguards.
Every image of a person that can be used to identify them or that depicts them represents personal data. For the processing of such pictures, a legal foundation in accordance with Article 6 DS-GVO is necessary.
Special categories of personal data are handled when biometric data is additionally used to unambiguously identify a natural person (biometric facial recognition). Article 9 of the GDPR generally forbids this kind of processing.
More and more businesses are thinking about implementing systems that process biometric data for authorization or security (e.g. access control, monitoring of worked hours, and building security).
Depending on the context, the use of biometric data may improve user comfort, operational efficiency, and security. However, the use of such systems is considered highly intrusive to privacy, and the GDPR only allows for a limited number of such operations to be carried out in practice.