The AI Act explained: ban on scraping of facial images (6/10)

Information can come from anywhere. Scraping refers to the process by which an AI tool, such as a web crawler or bot, collects large volumes of data from various platforms. This scraping occurs across multiple sources, from public platforms to surveillance cameras (CCTVs).[1]

The risk with AI-driven scraping is that AI reacts dynamically. That is, AI is capable of detecting content and drawing connections without being given an explicit command. Moreover, it is not excluded that AI may scrape data from the dark web as well.[2]

Once all this information is scraped, databases are created in which the gathered data is stored. When scraping facial images, for example, this results in a database full of facial photographs.

It is immediately apparent why this is undesirable, even for those who claim, “I have nothing to hide.” A database full of facial images inevitably leads to privacy risks.

A real-world example is the American company Clearview (which has no EU establishment), which was fined by the Dutch Data Protection Authority for illegally collecting facial images of Dutch citizens.

Clearview’s clients can submit camera footage to identify the individuals in the images. To facilitate this, Clearview created an enormous database of facial images scraped from the internet. These images are converted into biometric codes, enabling facial recognition. The images were added to the database without the individuals’ consent and were subsequently shared with third parties for identification purposes.

Such systems must therefore be banned. The prohibition applies if all of the following cumulative conditions are met:

• The system aims to create or expand facial recognition databases;

• The database is populated using AI tools for indiscriminate scraping;

• The images are sourced from the internet or CCTV footage.[3]

The ban applies to both providers and users of AI systems, each within their own sphere of responsibility. It only applies to the use of AI systems that perform indiscriminate scraping of facial images. AI systems that perform targeted scraping are not prohibited under this article.

A facial recognition database, logically, is a database of faces. It enables comparisons between faces captured in external video or images and those stored in the database. Once the system detects a match, it alerts the user.[4]

Indiscriminate scraping can be likened to a vacuum cleaner: it picks up all information it encounters without focusing on a particular scraping goal. In the context of facial image databases, this means the tool does not focus on a specific individual or defined group of individuals.[5]

If a scraping tool is instructed to collect only images or videos containing faces of specific individuals or a predetermined group—for example, to track a particular criminal or identify a group of victims—then the scraping is targeted and not covered by Article 5(1)(e).

An example of permitted targeted scraping is the collection of images focused on a category of victims, such as those targeted by human traffickers on social media platforms. However, indiscriminate scraping must be interpreted in a way that the prohibition cannot be circumvented. If the internet or CCTV footage is scraped step-by-step to build a database—by repeatedly selecting specific groups or criteria—this still falls under Article 5(1)(e) if the end result is functionally equivalent to indiscriminate scraping.

In short: attempts to circumvent the prohibition are not permitted.

It is crucial that you determine as soon as possible whether your organisation is using prohibited AI practices. If so, this can result in substantial fines of up to EUR 35 million or 7% of your global annual turnover.

The fact that no specific supervisory authority has yet been appointed for these AI prohibitions does not mean enforcement cannot occur. The prohibitions have been directly applicable since 2 February 2025, and any violation constitutes a wrongful act. Individuals or companies who suffer damages may already bring legal proceedings.

In short, compliance with the AI Act requires a structured approach within your organisation. We are happy to support you in mapping and classifying your AI systems and implementing the necessary obligations. We do this in collaboration with an external partner following a three-step approach: a knowledge session, an AI scan, and implementation.

If your organisation needs help completing these steps, the Holla AI team offers an AI scan to ensure compliance with the AI Act.

Have questions? Contact us, we’re here to help. Stay tuned to our website for more articles in this blog series.