Privacy advocacy group noyb today filed a lawsuit against the Hamburg data protection authority (HmbBfDI), escalating a legal dispute that began with a complaint originally lodged in July 2020. The case targets the authority's decision to acknowledge PimEyes operates unlawfully - but to do nothing meaningful about it. The central argument is stark: the authority cannot cite a company's apparent offshore location as a reason to abandon enforcement of European privacy law.

PimEyes is a facial recognition search engine that continuously scans the public internet to harvest images of faces and store them in a database. According to noyb, the company has already collected billions of images. Anyone visiting the website can upload a photo of a person and receive further images of that same individual along with links to where those images appear online. For a fee, users can also access a probability score indicating how confident the system is that two images show the same person. The underlying mechanism relies on facial recognition, which in legal terms means the processing of biometric data - a special category of personal data afforded heightened protection under the General Data Protection Regulation.

The business model draws direct comparisons to Clearview AI, the US-based firm that built a comparable database and faced fines across multiple European jurisdictions. Greece issued a 20 million euro fine against Clearview in July 2022. Italy followed with its own 20 million euro penalty in March 2022. The Netherlands added a 30.5 million euro fine in September 2024. Criminal charges were later filed against Clearview executives in Austria in October 2025. PimEyes has operated in similar territory but without facing comparable enforcement action in Europe.

A complaint that took more than five years to produce a decision

The original complaint was filed with the Hamburg DPA on July 31, 2020. According to noyb's case documentation, the authority took more than five years to reach a formal decision, which it issued on November 7, 2025. That decision concluded that PimEyes acted unlawfully and should have responded to the complainant's access and deletion requests. Yet despite that finding, the Hamburg DPA announced it would take no concrete measures beyond sending what it described as an "information letter" to PimEyes.

The reasoning offered by the authority hinged on location: PimEyes, it noted, appears to be based in Dubai and does not respond to inquiries. Requiring enforcement steps that might prove difficult to execute, in the authority's view, was not something it was obligated to do.

noyb rejected that reasoning. According to the group's data protection lawyer Felix Mikolasch, "Instead of relying on the contact details on the PimEyes website to stop working on the case, the Hamburg supervisory authority should take effective action against the company. It cannot simply end its work because it speculates that the measures might be fruitless. This possibility can never be completely ruled out. Other authorities have also imposed fines on the comparable US company Clearview AI."

The case file, published by noyb as case C042, shows a long trail of procedural activity between 2020 and 2025. On August 13, 2020, the authority confirmed receipt of the complaint. noyb formally stepped in to represent the complainant on May 12, 2021. A call with the Hamburg DPA on August 17, 2022 revealed the authority's position: it could not enforce a decision, and it argued that Poland - where PimEyes had previously claimed an establishment - was not competent either, since no confirmed EU establishment could be verified.

The shifting location problem

PimEyes has, over the course of the proceedings, claimed to be based in three different countries: Poland, the Seychelles, and Belize. According to noyb, the Hamburg authority apparently never verified whether any of these claimed locations on the website were accurate. Now, with PimEyes appearing to operate from Dubai, the authority is using that shifting presence as grounds to decline further action.

This jurisdictional difficulty is not unique to PimEyes. The Hamburg DPA has faced separate legal challenges from noyb over its handling of other GDPR complaints, including a 2024 lawsuit over the authority's decision on "Pay or OK" consent banners, where noyb alleged the authority failed to consider critical data on user behaviour and engaged in improper communications with the publisher under investigation.

On October 25, 2024, the Hamburg DPA told noyb it would look at new possibilities for progressing the PimEyes case and asked for documentation from four years earlier. On December 2, 2024, noyb replied that the data subject had not yet located the documents. The formal decision came on November 7, 2025, followed by noyb gaining access to the case file on November 18, 2025.

What enforcement could look like

The lawsuit filed today argues that effective enforcement against PimEyes is legally possible even though the company operates from a third country. noyb's legal team has outlined three potential avenues the Hamburg DPA could pursue.

First, the authority could freeze funds that PimEyes holds in Europe. Second, it could require PimEyes' service providers - including hosting and infrastructure companies operating within the EU's jurisdiction - to delete data. Third, it could take measures directly against the company's Georgian managing director. According to noyb, should the court find in the complainant's favour, the Hamburg DPA would be required to reconsider the original complaint and would likely have to implement measures that provide meaningful relief.

Jonas Breyer, the plaintiff's lawyer, described the authority's inaction as worrying: "It is worrying that the authority is not even attempting to take effective steps to enforce the GDPR - and that PimEyes is thus able to continue its clearly unlawful practices unhindered. The Hamburg supervisory authority is signalling once again that, even in the face of serious GDPR violations, it is sitting on its hands and inviting calculated breaches of the law."

The claimant is represented by Jonas Breyer of Breyer Legal. noyb, which gained EU-wide authority for collective data protection cases in December 2024, supported the complainant during the Hamburg proceedings and supports the current claim. The case also carries the backing of the Chaos Computer Club, Germany's prominent digital rights organisation.

Biometric data under the GDPR

The legal stakes attached to facial recognition searches are high because biometric data falls under Article 9 of the GDPR, which governs special categories of personal data. Processing such data without an explicit legal basis or the data subject's explicit consent is prohibited. The burden of justification is considerably higher than for ordinary personal data, and the potential fines for violations can reach 20 million euros or 4 percent of global annual turnover, whichever is greater.

According to Max Schrems, Chairman of noyb, the scale of PimEyes' operations represents a serious threat to individual privacy: "The unchecked spread of facial recognition tools such as PimEyes is disastrous for privacy: stalking and mass surveillance of millions of people can be carried out in a matter of seconds. PimEyes has amassed billions of pieces of biometric data from innocent people without their knowledge and makes this data available to everyone. This mass surveillance of private individuals is clearly unlawful - and the Hamburg authority also sees it this way."

The EDPB's 2025 annual report, published on April 9, 2026, recorded a combined total of 1,145,760,374 euros in GDPR fines issued by national data protection authorities across Europe during 2025 alone. Germany's combined DPA actions produced 499 fines totalling 48,117,083 euros across that year. That enforcement volume underlines the broader pressure European regulators are under to act, even as individual cases such as PimEyes drag on for years without resolution.

A broader pattern of data protection authorities being criticised for ineffective GDPR enforcement has been documented by noyb itself. A study published by the group in January 2024 found that 74 percent of data protection professionals believed DPAs would find relevant violations if they conducted on-site investigations at an average company handling user data. That same study noted that 70 percent of respondents believed DPAs needed to issue clearer decisions and enforce the GDPR more consistently. The PimEyes case fits this pattern precisely: a formal finding of illegality from a regulator, followed by a decision to take no corrective action.

Why this matters beyond the complaint

The case is not only about one person's attempt to have their biometric data deleted from a search engine. It raises a structural question about whether European data protection authorities can decline to enforce GDPR decisions against companies that are difficult to locate. If that principle were to be accepted, it would create a straightforward template for companies wishing to continue processing personal data illegally: simply operate from outside the EU and respond to nothing.

Similar pressures are visible elsewhere. Spain's AENA received a 1.8 million euro fine for airport facial recognition failures in November 2025, in a case where the AEPD found inadequate data protection impact assessments for biometric passenger processing. The European Data Protection Board's 2024 opinion on facial recognition in airports also emphasised maximum individual control over biometric data and strict data minimisation requirements.

In the PimEyes context, those principles are being tested in a far more aggressive commercial application - one where the entire business model is built on processing biometric data of individuals who never consented and are often unaware their images are indexed.

noyb is also pursuing separate enforcement actions at the EU level. The organisation's March 2026 survey of 510 data protection officers revealed a sharp disconnect between the European Commission's proposed GDPR reforms and what privacy professionals inside companies said would actually reduce compliance burdens. That context matters here: at the same time as the Commission discusses loosening some GDPR requirements, enforcement on fundamental issues such as unlawful biometric scraping remains patchy.

The Hamburg DPA has not publicly commented on the lawsuit. PimEyes has not responded to the proceedings before the Hamburg authority and, according to noyb, does not respond to inquiries.

Timeline

  • 31 July 2020 - Original complaint filed against PimEyes with the Hamburg DPA
  • 13 August 2020 - Hamburg DPA confirms receipt of the complaint
  • 12 May 2021 - noyb formally steps in to represent the complainant
  • 7 July 2021 - noyb informs the supervisory authority that Poland's UODO does not have the case
  • 30 July 2021 - Supervisory authority informs noyb about communication with Poland's UODO
  • 17 August 2022 - Hamburg DPA call: authority says enforcement would be impossible and questions whether Poland is competent
  • 30 November 2022 - Call with Hamburg DPA references the parallel Clearview case (C025) and asks for proof of any EU establishment of PimEyes
  • 28 September 2023 - Call with Hamburg DPA to discuss complaint status
  • 20 October 2023 - noyb sends information about the Polish Company Register and addresses used by PimEyes and related companies
  • 25 October 2024 - Hamburg DPA says it will explore new possibilities and requests documentation from four years earlier
  • 2 December 2024 - noyb replies that the data subject has not yet located the requested documents
  • 7 November 2025 - Hamburg DPA issues decision: considers PimEyes illegal but declines to act, citing Dubai location
  • 18 November 2025 - noyb gains access to the case file
  • 30 April 2026 - noyb files lawsuit against the Hamburg DPA; Clearview AI faced criminal charges in Austria from October 2025Hamburg DPA previously challenged over Pay-or-OK inaction, August 2024EDPB 2025 annual report records 1.15 billion euros in GDPR fines, April 2026

Summary

Who: Privacy advocacy group noyb (None of Your Business), founded by Max Schrems, filed the lawsuit. The defendant is the Hamburg Data Protection Authority (HmbBfDI). The original complainant is represented by Jonas Breyer of Breyer Legal. The case is supported by the Chaos Computer Club. The controller at the centre of the dispute is PimEyes, a facial recognition search engine currently appearing to operate from Dubai.

What: noyb filed a lawsuit against the Hamburg DPA for declining to take effective enforcement action against PimEyes, despite formally finding the company's practices illegal. The Hamburg DPA concluded that PimEyes unlawfully processed biometric data and failed to respond to the complainant's access and deletion requests, but limited its response to sending an "information letter" to the company.

When: The lawsuit was filed on April 30, 2026. The underlying complaint was originally submitted on July 31, 2020. The Hamburg DPA's decision came on November 7, 2025, more than five years after the initial filing.

Where: The legal proceedings involve the Hamburg Data Protection Authority in Germany. PimEyes has at various points claimed establishments in Poland, the Seychelles, Belize, and most recently Dubai.

Why: noyb argues that GDPR enforcement is legally possible against third-country companies through mechanisms such as freezing European funds, requiring EU-based service providers to delete data, or acting against the company's Georgian managing director. The case challenges the principle that a regulator can lawfully decline to act on the basis that enforcement might be difficult - a precedent that, if established, would undermine the GDPR's extraterritorial reach.

Share this article
The link has been copied!