Dr. Stefan Brink, the State Commissioner for Data Protection and Freedom of Information, has opened proceedings against PimEyes - a result of the company’s use of facial recognition technology, as well as its face databases and personal profiles.
Users have suffered from a loss of anonymity, which drew the attention of data protection officials.
The company scans "masses of faces on the Internet for individual characteristics", according to research by netzpolitik.org, and maintains biometric data (i.e., personal traits like facial shape, eye color, or the distance from mouth to nose) with which everyone can be precisely recognized.
These concerns started in May 2021, after which several procedures were followed to check if the company complies with data protection laws.
Read more about this topic on the State Commissioner for Data Protection and Freedom of Information website.
Because PimEyes is used globally, it is reasonable to assume that the company processes personal data from European users, meaning that it sits within the scope of the General Data Protection Regulation (GDPR).
This law forbids the use of biometric information for identifying human beings, yet the company database has been accessible for users anywhere in the world.
The State Commissioner is still unclear about how the corporation uses this data.
You can submit a photo of a person to find out where else on the internet that person's face is already present, such as on social media, own website, or in the public cloud. In the state commissioner's opinion, it is still unclear how the corporation uses this data.
PimEyes has been requested to provide details on the data that the business processes by the State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink. In order to accomplish this, the state commissioner has sent the business a lengthy list of inquiries.
The state commissioner received a statement from PimEyes on November 1, 2022, in which the firm discusses the legal justification for using biometric data to identify people, technological and organizational measures (TOMs), and safeguards against data misuse.
The company enables its users to submit a photo of a person, and they will then be given links to wherever this person has been photoed elsewhere online - be it on social media, websites, or in the public cloud.
PimEyes claims in its statement that it only analyzes photographs that are made available to the public and that it is unable to identify owners. Therefore, there is no personal reference at all for the data recorded by PimEyes, and no processing of personal data occurs.
The state commissioner vehemently disagrees with these claims due to the grave danger posed to people’s rights and liberties by the company’s actions.
The state commissioner has initiated fine proceedings against PimEyes due to the company's apparent disregard for data privacy laws and serious shortcomings in technological and organizational safeguards.
Every image of a person that can be used to identify them or that depicts them represents personal data. For the processing of such pictures, a legal foundation in accordance with Article 6 DS-GVO is necessary.
Special categories of personal data are handled when biometric data is additionally used to unambiguously identify a natural person (biometric facial recognition). Article 9 of the GDPR generally forbids this kind of processing.
More and more businesses are thinking about implementing systems that process biometric data for authorization or security (e.g. access control, monitoring of worked hours, and building security).
Depending on the context, the use of biometric data may improve user comfort, operational efficiency, and security. However, the use of such systems is considered highly intrusive to privacy, and the GDPR only allows for a limited number of such operations to be carried out in practice.
Gain World-Class Insights & Offer Innovative Privacy & Security
Sign up to Our Newsletter for Regular Nuggets. And don’t worry, we won’t tell sales.