noyb sues Hamburg DPA as PimEyes keeps scanning faces unhindered

Privateness advocacy group noyb at present filed a lawsuit in opposition to the Hamburg knowledge safety authority (HmbBfDI), escalating a authorized dispute that started with a grievance initially lodged in July 2020. The case targets the authority’s choice to acknowledge PimEyes operates unlawfully – however to do nothing significant about it. The central argument is stark: the authority can not cite an organization’s obvious offshore location as a purpose to desert enforcement of European privateness regulation.

PimEyes is a facial recognition search engine that repeatedly scans the general public web to reap pictures of faces and retailer them in a database. In response to noyb, the corporate has already collected billions of pictures. Anybody visiting the web site can add a photograph of an individual and obtain additional pictures of that very same particular person together with hyperlinks to the place these pictures seem on-line. For a charge, customers also can entry a likelihood rating indicating how assured the system is that two pictures present the identical individual. The underlying mechanism depends on facial recognition, which in authorized phrases means the processing of biometric knowledge – a particular class of non-public knowledge afforded heightened safety below the Common Information Safety Regulation.

The enterprise mannequin attracts direct comparisons to Clearview AI, the US-based agency that built a comparable database and faced fines across multiple European jurisdictions. Greece issued a 20 million euro positive in opposition to Clearview in July 2022. Italy adopted with its personal 20 million euro penalty in March 2022. The Netherlands added a 30.5 million euro positive in September 2024. Prison fees have been later filed in opposition to Clearview executives in Austria in October 2025. PimEyes has operated in comparable territory however with out going through comparable enforcement motion in Europe.

A grievance that took greater than 5 years to provide a call

The unique grievance was filed with the Hamburg DPA on July 31, 2020. In response to noyb’s case documentation, the authority took greater than 5 years to succeed in a proper choice, which it issued on November 7, 2025. That call concluded that PimEyes acted unlawfully and will have responded to the complainant’s entry and deletion requests. But regardless of that discovering, the Hamburg DPA introduced it might take no concrete measures past sending what it described as an “data letter” to PimEyes.

The reasoning supplied by the authority hinged on location: PimEyes, it famous, seems to be based mostly in Dubai and doesn’t reply to inquiries. Requiring enforcement steps that may show tough to execute, within the authority’s view, was not one thing it was obligated to do.

noyb rejected that reasoning. In response to the group’s knowledge safety lawyer Felix Mikolasch, “As a substitute of counting on the contact particulars on the PimEyes web site to cease engaged on the case, the Hamburg supervisory authority ought to take efficient motion in opposition to the corporate. It can not merely finish its work as a result of it speculates that the measures could be fruitless. This chance can by no means be fully dominated out. Different authorities have additionally imposed fines on the comparable US firm Clearview AI.”

The case file, printed by noyb as case C042, reveals an extended path of procedural exercise between 2020 and 2025. On August 13, 2020, the authority confirmed receipt of the grievance. noyb formally stepped in to signify the complainant on Could 12, 2021. A name with the Hamburg DPA on August 17, 2022 revealed the authority’s place: it couldn’t implement a call, and it argued that Poland – the place PimEyes had beforehand claimed an institution – was not competent both, since no confirmed EU institution may very well be verified.

The shifting location drawback

PimEyes has, over the course of the proceedings, claimed to be based mostly in three completely different nations: Poland, the Seychelles, and Belize. In response to noyb, the Hamburg authority apparently by no means verified whether or not any of those claimed places on the web site have been correct. Now, with PimEyes showing to function from Dubai, the authority is utilizing that shifting presence as grounds to say no additional motion.

This jurisdictional issue shouldn’t be distinctive to PimEyes. The Hamburg DPA has faced separate legal challenges from noyb over its handling of other GDPR complaints, together with a 2024 lawsuit over the authority’s choice on “Pay or OK” consent banners, the place noyb alleged the authority failed to think about essential knowledge on person behaviour and engaged in improper communications with the writer below investigation.

On October 25, 2024, the Hamburg DPA informed noyb it might have a look at new potentialities for progressing the PimEyes case and requested for documentation from 4 years earlier. On December 2, 2024, noyb replied that the info topic had not but positioned the paperwork. The formal choice got here on November 7, 2025, adopted by noyb having access to the case file on November 18, 2025.

What enforcement might seem like

The lawsuit filed at present argues that efficient enforcement in opposition to PimEyes is legally doable though the corporate operates from a 3rd nation. noyb’s authorized crew has outlined three potential avenues the Hamburg DPA might pursue.

First, the authority might freeze funds that PimEyes holds in Europe. Second, it might require PimEyes’ service suppliers – together with internet hosting and infrastructure firms working throughout the EU’s jurisdiction – to delete knowledge. Third, it might take measures instantly in opposition to the corporate’s Georgian managing director. In response to noyb, ought to the court docket discover within the complainant’s favour, the Hamburg DPA could be required to rethink the unique grievance and would doubtless must implement measures that present significant reduction.

Jonas Breyer, the plaintiff’s lawyer, described the authority’s inaction as worrying: “It’s worrying that the authority shouldn’t be even making an attempt to take efficient steps to implement the GDPR – and that PimEyes is thus capable of proceed its clearly illegal practices unhindered. The Hamburg supervisory authority is signalling as soon as once more that, even within the face of significant GDPR violations, it’s sitting on its palms and welcoming calculated breaches of the regulation.”

The claimant is represented by Jonas Breyer of Breyer Authorized. noyb, which gained EU-wide authority for collective data protection cases in December 2024, supported the complainant throughout the Hamburg proceedings and helps the present declare. The case additionally carries the backing of the Chaos Laptop Membership, Germany’s outstanding digital rights organisation.

Biometric knowledge below the GDPR

The authorized stakes hooked up to facial recognition searches are excessive as a result of biometric knowledge falls below Article 9 of the GDPR, which governs particular classes of non-public knowledge. Processing such knowledge with out an express authorized foundation or the info topic’s express consent is prohibited. The burden of justification is significantly larger than for atypical private knowledge, and the potential fines for violations can attain 20 million euros or 4 % of worldwide annual turnover, whichever is larger.

In response to Max Schrems, Chairman of noyb, the size of PimEyes’ operations represents a severe risk to particular person privateness: “The unchecked unfold of facial recognition instruments akin to PimEyes is disastrous for privateness: stalking and mass surveillance of thousands and thousands of individuals could be carried out in a matter of seconds. PimEyes has amassed billions of items of biometric knowledge from harmless individuals with out their information and makes this knowledge accessible to everybody. This mass surveillance of personal people is clearly illegal – and the Hamburg authority additionally sees it this manner.”

The EDPB’s 2025 annual report, printed on April 9, 2026, recorded a mixed complete of 1,145,760,374 euros in GDPR fines issued by nationwide knowledge safety authorities throughout Europe throughout 2025 alone. Germany’s mixed DPA actions produced 499 fines totalling 48,117,083 euros throughout that yr. That enforcement quantity underlines the broader stress European regulators are below to behave, at the same time as particular person circumstances akin to PimEyes drag on for years with out decision.

A broader sample of data protection authorities being criticised for ineffective GDPR enforcement has been documented by noyb itself. A research printed by the group in January 2024 discovered that 74 % of knowledge safety professionals believed DPAs would discover related violations in the event that they carried out on-site investigations at a median firm dealing with person knowledge. That very same research famous that 70 % of respondents believed DPAs wanted to situation clearer selections and implement the GDPR extra constantly. The PimEyes case suits this sample exactly: a proper discovering of illegality from a regulator, adopted by a call to take no corrective motion.

Why this issues past the grievance

The case shouldn’t be solely about one individual’s try to have their biometric knowledge deleted from a search engine. It raises a structural query about whether or not European knowledge safety authorities can decline to implement GDPR selections in opposition to firms which might be tough to find. If that precept have been to be accepted, it might create a simple template for firms wishing to proceed processing private knowledge illegally: merely function from outdoors the EU and reply to nothing.

Related pressures are seen elsewhere. Spain’s AENA received a 1.8 million euro fine for airport facial recognition failures in November 2025, in a case the place the AEPD discovered insufficient knowledge safety impression assessments for biometric passenger processing. The European Data Protection Board’s 2024 opinion on facial recognition in airports additionally emphasised most particular person management over biometric knowledge and strict knowledge minimisation necessities.

Within the PimEyes context, these rules are being examined in a much more aggressive business utility – one the place the complete enterprise mannequin is constructed on processing biometric knowledge of people who by no means consented and are sometimes unaware their pictures are listed.

noyb can also be pursuing separate enforcement actions on the EU degree. The organisation’s March 2026 survey of 510 data protection officers revealed a pointy disconnect between the European Fee’s proposed GDPR reforms and what privateness professionals inside firms stated would truly cut back compliance burdens. That context issues right here: similtaneously the Fee discusses loosening some GDPR necessities, enforcement on elementary points akin to illegal biometric scraping stays patchy.

The Hamburg DPA has not publicly commented on the lawsuit. PimEyes has not responded to the proceedings earlier than the Hamburg authority and, in line with noyb, doesn’t reply to inquiries.

Timeline

• 31 July 2020 – Unique grievance filed in opposition to PimEyes with the Hamburg DPA
• 13 August 2020 – Hamburg DPA confirms receipt of the grievance
• 12 Could 2021 – noyb formally steps in to signify the complainant
• 7 July 2021 – noyb informs the supervisory authority that Poland’s UODO doesn’t have the case
• 30 July 2021 – Supervisory authority informs noyb about communication with Poland’s UODO
• 17 August 2022 – Hamburg DPA name: authority says enforcement could be inconceivable and questions whether or not Poland is competent
• 30 November 2022 – Name with Hamburg DPA references the parallel Clearview case (C025) and asks for proof of any EU institution of PimEyes
• 28 September 2023 – Name with Hamburg DPA to debate grievance standing
• 20 October 2023 – noyb sends details about the Polish Firm Register and addresses utilized by PimEyes and associated firms
• 25 October 2024 – Hamburg DPA says it can discover new potentialities and requests documentation from 4 years earlier
• 2 December 2024 – noyb replies that the info topic has not but positioned the requested paperwork
• 7 November 2025 – Hamburg DPA points choice: considers PimEyes unlawful however declines to behave, citing Dubai location
• 18 November 2025 – noyb features entry to the case file
• 30 April 2026 – noyb information lawsuit in opposition to the Hamburg DPA; Clearview AI faced criminal charges in Austria from October 2025; Hamburg DPA previously challenged over Pay-or-OK inaction, August 2024; EDPB 2025 annual report records 1.15 billion euros in GDPR fines, April 2026

Abstract

Who: Privateness advocacy group noyb (None of Your Enterprise), based by Max Schrems, filed the lawsuit. The defendant is the Hamburg Information Safety Authority (HmbBfDI). The unique complainant is represented by Jonas Breyer of Breyer Authorized. The case is supported by the Chaos Laptop Membership. The controller on the centre of the dispute is PimEyes, a facial recognition search engine at the moment showing to function from Dubai.

What: noyb filed a lawsuit in opposition to the Hamburg DPA for declining to take efficient enforcement motion in opposition to PimEyes, regardless of formally discovering the corporate’s practices unlawful. The Hamburg DPA concluded that PimEyes unlawfully processed biometric knowledge and failed to reply to the complainant’s entry and deletion requests, however restricted its response to sending an “data letter” to the corporate.

When: The lawsuit was filed on April 30, 2026. The underlying grievance was initially submitted on July 31, 2020. The Hamburg DPA’s choice got here on November 7, 2025, greater than 5 years after the preliminary submitting.

The place: The authorized proceedings contain the Hamburg Information Safety Authority in Germany. PimEyes has at numerous factors claimed institutions in Poland, the Seychelles, Belize, and most just lately Dubai.

Why: noyb argues that GDPR enforcement is legally doable in opposition to third-country firms by mechanisms akin to freezing European funds, requiring EU-based service suppliers to delete knowledge, or performing in opposition to the corporate’s Georgian managing director. The case challenges the precept {that a} regulator can lawfully decline to behave on the premise that enforcement could be tough – a precedent that, if established, would undermine the GDPR’s extraterritorial attain.