Where the world is pushing surveillance back

Canada's federal privacy watchdog ruled that Clearview AI's database and the federal police's use of it were illegal mass surveillance, and called on the company to stop and delete Canadians' data.

In November 2021 the US Commerce Department added Israeli spyware maker NSO Group to its Entity List, cutting off the American technology the company relied on and effectively banning US exports to it. A 2023 executive order then barred federal agencies from using commercial spyware tied to abuses. In a case brought by WhatsApp, a US court found NSO liable for hacking in December 2024, and in May 2025 a jury awarded about 168 million dollars, the first US jury verdict against a commercial spyware company.

The widest surveillance pushback in the world. It began in 2019 when San Francisco became the first city anywhere to ban police use of facial recognition, soon followed by Boston, Portland (Oregon), and others. Since then more than 100 US cities, counties, and agencies have removed, paused, denied, or restricted automated license plate readers like Flock, and several states have passed laws limiting ALPR data sharing and retention. Switch to the United States view of this map for the full breakdown.

A court suspended Buenos Aires's live facial-recognition fugitive system in April 2022 and ruled it unconstitutional that September, upheld on appeal in 2023, after it was used to run unauthorized searches on thousands of people not on any wanted list, including journalists, politicians, and activists. It remains suspended pending audit safeguards.

Courts suspended Sao Paulo Metro's facial-recognition system in 2022 after a public civil action by civil society groups, and a campaign backed by legislators across 13 states has pushed bills to ban facial recognition in public spaces. The city's larger Smart Sampa camera network has advanced despite the legal challenges.

Austria's DPA found Clearview AI acted illegally. The privacy group noyb filed a criminal complaint against the company and its managers.

Belgium oversight body for police information, the COC, found in February 2022 that federal police use of Clearview AI facial recognition was not legal, not authorized, and not necessary, with no sufficient basis in police law. It followed a 2019 order to halt a facial-recognition trial at Brussels Airport for the same reason. The interior minister confirmed the tool was illegal under Belgian law, though lawmakers continue to debate a framework that could permit narrow police use.

The EU AI Act Article 5 bans real-time remote biometric identification (live facial recognition) by law enforcement in publicly accessible spaces, with narrow exceptions. The prohibited-practices rules took effect 2 February 2025.

The European Parliament set up a committee of inquiry, known as PEGA, into the use of Pegasus and equivalent spyware across member states. Active from April 2022, its final report in May 2023 found that spyware had been used to illegally target journalists, politicians, and critics in countries including Poland, Hungary, Greece, and Spain, and it called for a moratorium and binding safeguards on the sale and use of such tools in the EU.

Finland Deputy Data Protection Ombudsman reprimanded the National Police Board in 2021 for unlawfully processing personal data when the National Bureau of Investigation trialed Clearview AI facial recognition during a child-abuse investigation. The ombudsman ordered the police to have Clearview erase the data they had transmitted and to notify affected people. The police had already dropped the tool, finding it unsuitable for their work.

France's CNIL ordered Clearview AI to stop collecting and to delete residents' data, then fined the company EUR 20 million for unlawful biometric processing.

A regional plan to install facial-recognition entry gates at two high schools in Nice and Marseille was struck down. The data-protection regulator CNIL warned in October 2019 that the trial was unlawful, and in February 2020 the Administrative Court of Marseille annulled it, ruling that the region had no authority to impose it, that students could not freely consent under school authority, and that the measure was disproportionate. It was the first French court decision applying the GDPR to facial recognition in a public space.

German data protection authorities found Clearview AI unlawful and ordered deletion, but the federal government has proposed a law granting police powers to match faces against public internet image databases. Legal scholars and civil society warn it breaches the constitution and EU law.

The Predatorgate scandal broke in 2022 when Predator spyware, made by the Intellexa group, was found on the phones of a financial journalist and the leader of the opposition PASOK party, who was also a member of the European Parliament. The national intelligence chief and the general secretary to the prime minister resigned, parliament passed a 2022 law on lifting communications confidentiality, and in February 2026 a Greek court convicted figures behind the Predator operation, a rare instance of accountability in the spyware industry.

Greece's Data Protection Authority fined Clearview AI EUR 20 million, its largest-ever penalty against a private company, for unlawfully processing Greek citizens' biometric data.

Civil society and oversight bodies in Ireland have contested government plans to give the national police, An Garda Siochana, facial recognition powers since 2022. The Irish Council for Civil Liberties, Digital Rights Ireland, the Data Protection Commission, and the Oireachtas Justice Committee all flagged serious deficiencies, and the committee issued dozens of recommended changes in 2024. The opposition delayed the measure for years, though a 2025 bill authorizing Garda biometric analysis was advancing through the Oireachtas in 2026.

Italy's data protection authority (Garante) fined Clearview AI EUR 20 million, banned further collection and processing of residents' data, and ordered deletion of the biometric data it held.

In December 2021 Italy became the first EU country to pause facial recognition in public spaces, suspending installation and use of the technology by both public and private actors until a dedicated legal framework is passed. Police and judicial criminal investigations were exempted, which civil-society groups criticized, but the moratorium marked a national stand against biometric mass surveillance and was later extended while a permanent law was debated.

The Dutch DPA fined Clearview AI EUR 30.5 million and warned Dutch companies against using its facial recognition database.

Poland is investigating how the previous Law and Justice government used NSO Group Pegasus spyware, which officials say was deployed against roughly 600 people between 2017 and 2022, including the opposition senator who ran the 2019 election campaign. After the government changed in late 2023, prosecutors opened investigations and parliament created a Pegasus and Illegal Surveillance commission in February 2024. In December 2024 a former security service chief was forcibly compelled to testify, a first in Polish history.

Civil society led by the SHARE Foundation forced the withdrawal of draft laws that would have legalized mass biometric video surveillance in Belgrade, in 2021 and again in 2023. Facial recognition remains legally unauthorized in Serbia, though Huawei cameras are installed and rights groups say the software has been used during protests without a legal basis.

Spain data protection agency, the AEPD, fined supermarket chain Mercadona 2.5 million euros in 2021 for running facial recognition across 48 stores that scanned every shopper, including children, to flag people with restraining orders. The regulator ruled the system unlawful under the GDPR and it was ordered stopped.

1. Jun 2020 Mercadona began a facial-recognition pilot across 48 supermarkets to flag people with restraining orders, scanning all shoppers including children. gdprhub.eu
2. May 2021 After complaints and an AEPD interim order, Mercadona halted the pilot and removed the cameras. gdprhub.eu
3. Jul 2021 The AEPD fined Mercadona 2.5 million euros, ruling the facial-recognition system unlawful under the GDPR. hunton.com

Sweden's data protection authority (IMY) fined the national police EUR 250,000 for using Clearview AI to identify people unlawfully and without a data protection assessment, and ordered the police to inform affected individuals and have their data deleted.

In May 2022 the UK Information Commissioner fined Clearview AI more than 7.5 million pounds and ordered it to stop scraping images of UK residents and to delete the data it already held, after a joint investigation with Australia regulator. Clearview appealed and a lower tribunal threw out the penalty in 2023 on jurisdiction grounds, but in October 2025 the Upper Tribunal restored most of the regulator case, ruling that Clearview does fall under UK data-protection law. The company may still seek further appeal.

In 2020 the Court of Appeal ruled South Wales Police live facial recognition unlawful in the Bridges case, the first successful legal challenge of its kind. In 2022 the ICO fined Clearview AI and ordered UK residents data deleted. Live facial recognition has since expanded to more police forces, and the fight over its limits continues.

1. Sep 2019 The High Court dismissed Edward Bridges challenge to South Wales Police use of live facial recognition. libertyhumanrights.org.uk
2. Aug 2020 The Court of Appeal ruled South Wales Police live facial recognition unlawful, the first successful legal challenge to the technology in the UK. The case was backed by the civil liberties group Liberty. libertyhumanrights.org.uk
3. May 2022 The ICO fined Clearview AI over 7.5 million pounds and ordered it to delete UK residents data. time.com

Australia privacy regulator, the OAIC, ruled Clearview AI breached privacy law by scraping Australians images and ordered it to stop and delete the data. In 2024 the regulator also found retailer Bunnings breached privacy by running in-store facial recognition on hundreds of thousands of shoppers, a finding a tribunal later softened in part on appeal.

1. Nov 2021 The OAIC found Clearview AI breached the Privacy Act by scraping Australians faces and ordered it to stop collecting and to delete the data. theconversation.com
2. Nov 2024 The Privacy Commissioner ruled Bunnings breached privacy by running facial recognition on shoppers across more than 60 stores, and ordered it to stop and destroy the data. oaic.gov.au
3. Feb 2026 A review tribunal upheld the notification and governance breaches but found Bunnings could use the technology for the limited purpose of fighting serious retail crime. The Commissioner did not appeal. oaic.gov.au

New Zealand Police secretly trialed Clearview AI in 2020 without sign-off from the Police Commissioner, the Privacy Commissioner, or Cabinet. After the trial was exposed and halted, an independent review led police to commit not to use live facial recognition until its privacy, legal, and ethical impacts are understood.

1. May 2020 Reporting revealed police had secretly trialed Clearview AI without authorization. The trial was halted and the Police Commissioner ordered a stocktake of surveillance tools. rnz.co.nz
2. Dec 2021 An independent review prompted police to halt plans for live facial recognition, with police stating they will not use it until the impacts are fully understood. rnz.co.nz