On February 2, 2025, the European Union's ban on real-time facial recognition in public spaces went into effect. Unlike the US patchwork or UK's lawless expansion, Europe chose prohibition. Violators face fines up to €35 million or 7% of global revenue. The EU AI Act is the world's first comprehensive law banning biometric mass surveillance.
Meanwhile, Clearview AI owes over €100 million in unpaid European fines. They haven't paid a cent. Enforcement remains the hard part.
The Numbers
€35M
Maximum fine per violation (or 7% of global revenue) [1]
€100M+
Clearview AI's unpaid European fines [2]
Feb 2, 2025
Date the ban took effect [1]
27
EU member states where ban applies
What the EU AI Act Actually Bans
Article 5 of the EU AI Act establishes eight categories of "prohibited AI practices." Three directly affect facial recognition: [1]
1. Real-Time Remote Biometric Identification
Live facial recognition cameras in public spaces for law enforcement are generally prohibited.
Police cannot deploy cameras that scan crowds in real-time and match faces against databases. No standing surveillance of public squares, transport hubs, or high streets. The default is: you don't get scanned.
2. Facial Recognition Database Creation
Creating or expanding facial recognition databases through "untargeted scraping of facial images from the internet or CCTV footage" is prohibited. [1]
This directly targets companies like Clearview AI, which built its database by scraping billions of photos from social media without consent.
3. Biometric Categorization
Systems that categorize people based on biometric data to infer race, political opinions, religious beliefs, sexual orientation, or trade union membership are prohibited. [1]
No algorithmic profiling based on your face to guess your politics or religion.
The Exceptions (There Are Always Exceptions)
The ban isn't absolute. Law enforcement can use real-time facial recognition in three narrow circumstances: [1]
Permitted Exceptions
- Targeted search for victims of abduction, trafficking, sexual exploitation, or missing persons
- Prevention of imminent threats to life or physical safety, including terrorist attacks
- Locating suspects of serious crimes (those punishable by at least 4 years imprisonment)
But even these exceptions come with requirements:
- Mandatory fundamental rights impact assessment under Article 27
- Registration in the EU database under Article 49
- Authorization from a judicial authority or independent administrative body
- The authorizing body must be satisfied the use is "necessary and proportionate"
Compare this to the UK, where police can add anyone to a watchlist without judicial oversight and deploy cameras wherever they want.
What's Also Banned
The AI Act prohibits more than just facial recognition. Article 5 covers: [1]
- Emotion recognition in workplaces and schools, No cameras judging if employees or students are happy, sad, or suspicious
- Social scoring systems, No ranking citizens based on behavior (the China model)
- Manipulation techniques, AI that exploits vulnerabilities to cause harm
- Predictive policing on individuals, Based solely on profiling or personality traits
The Clearview AI Problem
Clearview AI provides facial recognition to law enforcement by scraping billions of photos from the internet without consent. Multiple EU data protection authorities have fined them. None have collected. [2]
The Fines
| Country | Authority | Fine | Year | Status |
|---|---|---|---|---|
| France | CNIL | €20 million + €5.2M penalty | 2022-2023 | Unpaid |
| Italy | Garante | €20 million | 2022 | Unpaid |
| Greece | Hellenic DPA | €20 million | 2022 | Unpaid |
| Netherlands | Dutch DPA | €30.5 million | 2024 | Unpaid |
| UK | ICO | £7.5 million (~€9M) | 2022 | Appeal failed 2025 |
Total: Over €100 million in fines. Zero euros paid.
Why Clearview Doesn't Pay
Clearview AI is a US company. It has no European offices, assets, or employees to seize. European regulators can issue fines, but enforcing them against a foreign company that refuses to comply is another matter.
Privacy advocacy group noyb filed criminal charges against Clearview AI in October 2025, escalating after regulatory fines failed. [2]
Max Schrems, noyb's founder, stated: "Clearview AI seems to simply ignore EU fundamental rights and just spits in the face of EU authorities."
GDPR Protections (Pre-AI Act)
Before the AI Act, GDPR already provided some facial recognition protections: [3]
Article 9: Special Category Data
Biometric data is classified as "special category" data under GDPR Article 9. Processing it requires explicit consent or specific legal authorization.
Key GDPR Requirements
- Lawful basis required, You need a legal reason to process biometric data
- Explicit consent, For most commercial uses, individuals must opt in
- Data minimization, Collect only what's necessary
- Purpose limitation, Can't repurpose biometric data for new uses
- Right to erasure, Individuals can demand deletion
GDPR Fines
Maximum penalty under GDPR: €20 million or 4% of global annual revenue.
The AI Act raised this to €35 million or 7% for prohibited practices.
Country-by-Country Enforcement
Each EU member state has its own data protection authority. Enforcement varies: [4]
France (CNIL)
- Most aggressive enforcement against Clearview AI
- First to fine (€20M), then added €5.2M penalty for non-compliance
- Active in regulating workplace facial recognition
Italy (Garante)
- Issued maximum GDPR fine against Clearview (€20M)
- Banned data processing and collection of Italian residents
- Strict stance on biometric surveillance
Netherlands
- Issued largest single fine (€30.5M in 2024)
- Found Clearview's processing relates to "behavioural monitoring"
- Active enforcement despite collection difficulties
Germany
- Decentralized enforcement (16 state-level authorities)
- Generally strict on biometric data
- Hamburg DPA particularly active on facial recognition
How Europe Differs from the UK
The UK left the EU but retained GDPR-equivalent rules. In practice, enforcement diverges dramatically:
| Issue | EU | UK |
|---|---|---|
| Public space facial recognition | Banned (with narrow exceptions) | No restrictions |
| Judicial authorization required | Yes, for exceptions | No |
| Emotion detection | Banned in workplaces/schools | Being considered for expansion |
| Database scraping | Prohibited | ICO fined Clearview but can't enforce |
| Maximum fines | €35M or 7% revenue | £17.5M or 4% revenue |
| Faces scanned by police (2025) | Limited | 7+ million |
The UK's December 2025 consultation proposes expanding police facial recognition to all 43 forces while the EU bans it. Brexit created a surveillance gap.
What Ring/Amazon Can't Do in Europe
Amazon's Ring doorbell operates in EU countries (Germany, UK, Ireland, Austria) but with restrictions: [5]
- No "Familiar Faces" feature, The facial recognition feature launching in the US is not available in EU markets
- Privacy zones required, Smart doorbell owners must configure cameras to avoid recording neighbors
- Visible signage, Must post notices when recording in some jurisdictions
- Data Protection Impact Assessments, Required for commercial use
The EU proved companies will disable features rather than pay fines. The technology isn't inevitable, regulation shapes what gets deployed.
Upcoming Enforcement
Timeline
| Date | Event |
|---|---|
| February 2, 2025 | Prohibited practices ban takes effect |
| August 2, 2025 | Most AI Act provisions apply |
| August 2, 2026 | High-risk AI system requirements apply |
| August 2, 2027 | Full enforcement of all provisions |
What Comes Next
The European Commission published guidelines in early 2025 to clarify prohibited practices. Key interpretations: [6]
- Detecting physical states (fatigue, illness) is not "emotion recognition", driver fatigue detection systems remain legal
- Retrospective biometric identification (analyzing recorded footage) faces different rules than real-time scanning
- Private sector uses of facial recognition remain subject to GDPR but aren't outright banned like public space law enforcement use
The Enforcement Problem
The EU has the world's strongest facial recognition law on paper. Enforcement remains uneven: [2]
What Works
- Companies operating in Europe disable features to comply (Ring, others)
- Fines create public awareness and legal precedent
- Cross-border coordination improves
What Doesn't
- Foreign companies with no European presence ignore fines
- Criminal referrals are slow
- Enforcement varies by country
- €100M+ in Clearview fines remain uncollected
The AI Act's higher fines (€35M vs €20M under GDPR) may help, but only if violators have assets to seize.
What You Can Do in Europe
Know Your Rights
- Under GDPR, you can request what biometric data is held about you
- You can demand deletion of improperly collected data
- You can file complaints with your national data protection authority
Report Violations
- See facial recognition in public spaces? Document it
- Contact your national DPA
- Report to organizations like noyb or EDRi
Support Enforcement
- noyb, Files complaints and legal challenges across Europe
- European Digital Rights (EDRi), Coalition of civil liberties organizations
- Privacy International, Tracks and challenges Clearview AI globally
The Bottom Line
The EU made a choice: ban real-time facial recognition in public spaces. Make exceptions narrow and require judicial authorization. Fine violators tens of millions of euros.
Is it perfect? No. Clearview AI still hasn't paid. Enforcement varies. Exceptions exist. But the baseline is prohibition, not permission. Companies disable features to comply. The law shapes what surveillance is possible.
The UK looked at the same technology and chose expansion. The US has no federal law. China requires consent for commercial use.
Europe proved a different path exists. Whether they can enforce it determines whether it matters.
References
- EU AI Act - Article 5: Prohibited AI Practices
- The Register - Clearview AI faces criminal heat for ignoring EU data fines
- GDPR Article 9 - Processing of special categories of personal data
- Privacy International - Challenge against Clearview AI in Europe
- Biometric Update - EU issues guidelines clarifying banned AI uses
- Orrick - EU Commission Publishes Guidelines on Prohibited AI Practices
- EDPB - French SA fines Clearview AI EUR 20 million
- EDPB - Hellenic DPA fines Clearview AI 20 million euros
- Barracuda - Clearview AI's massive fine for GDPR violations
- Lewis Silkin - EU AI Act: the ban on prohibited AI systems comes into force