First "the criminal police" quoted was, as far as I can make out, not the State Criminal Investigation Office (Landeskriminalamt) of Lower Saxony, who was responsible for the arrest. Typically, comments on legal matters are left to the state prosecutors, which are in charge of affairs. Instead, comments like this have been made by Jochen Kopelke, Chairman of one of the police unions, the Gewerkschaft der Polizei. He also commented on why his collegues would not use this software platform:
The people in the police force who carry out internet-based searches are all familiar with software tools. But they don't use all of them. I also discussed the Klette case with colleagues who use OSINT [Open Source Intelligence, the professional research of information that people make publicly available on the internet and analysing it for usable findings]... All colleagues know Pimeyes. But to use it, they would have to send data to servers in non-European countries. And that's always a huge problem for the police. It always has to be a German server with a closed network. Before OSINT colleagues try out new tools, they understandably say: I don't even know if I'm allowed to do that, I'd better ask our data protection officer. They are then quickly told that this is not covered by the applicable police law or the Code of Criminal Procedure, it is not possible. What's more, we have to carry out OSINT searches from our service devices. However, these are not necessarily state of the art. We know the software, we can use it, but we often lack the right tools and the legal framework.
There is a good discussion of the legal issues in a German-language podcast. Since there is no official transcription, let me sum up the pertinent points made there:
[start of paraphrasing]
The relevant legisplation is the EU General Data Protection Regulation, which in Article 9 states a general prohibition, together with exceptions.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Paragraph 1 shall not apply if one of the following applies:
- (e) processing relates to personal data which are manifestly made public by the data subject;
- (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights;
The exceptions to the general use should be able to cover all aspects of this case. In fact the Federal Criminal Investigation Office (BKA) and the Criminal Investigation Offices of the states use software for facial recognition since 2008, a system called GES.
The software may only be used by schooled officers which can act as experts in front of courts. It compares pictures from the internet to pictures from the internal database INPOL. Around 20,000 times a year such searches are conducted according to the BKA. Each of those requires a judge to have ordered a public manhunt. In the case of Daniela Klette, such an order has been available for decades.
Neither BKA nor the LKA of Lower Saxony have made any statements about the use of PimEyes. It is clear that the above-mentioned GES will have been used. Journalistic reseaches from recent years have shown that police and secret agencies in Germany have used other and external platforms in addition. Singular cases of help from other international agencies have been uncovered over the years, but the general rules covering this are intransparent.
Independently of who executes the search, to use PimEyes and comparable platforms might be legally problematic, though. For example its Terms of Use forbid the use for anything but searching for ones own face.
[end of paraphrasing]
Another aspect was pointed out in an article of the Neue Züricher Zeitung, obviously from a Swiss viewpoint. But German and EU legislation are not far apart in this case (Translated with DeepL.com):
The software is technically impressive, but it is probably not legal. No court has yet ruled on whether PimEyes broke the law when creating its software. However, the people whose photos are stored and processed in the software were never asked for their consent - they ended up in a facial recognition database without their knowledge.
For Martin Steiger, lawyer and media spokesperson for the Digitale Gesellschaft association, it is clear that the very act of collecting data for the PimEyes software violates data protection law. This is because biometric data such as the face is particularly strongly protected. He says: "The police lack the legal basis to use such a tool."
Florent Thouvenin, professor of law at the University of Zurich, says that explicit consent for the use of personal data is only necessary in certain cases. "But tools like PimEyes are highly problematic. They enable new forms of surveillance."
Geting back to the use by police agencies, the article goes on:
The fact that this creates a situation in which journalists have tools at their disposal that are forbidden to the police is only absurd at first glance, says Thouvenin. On closer inspection, it makes sense: "It's about setting limits for the state when processing personal data."...
One of the reasons for this is that the authorities have more power and data about private individuals than most private organisations: Tax data, fingerprints and iris scans for passports, for example. The police are prohibited from accessing such data because they could otherwise use it to build up a surveillance apparatus, as has already happened in countries such as China.
Similar comments have been made by Khesrau Behroz, the main author of the journalistic researches that found Klette using PimEyes.
The legal situation regarding the use of AI tools is about to change. The EU commission and parliament are in the process of finalizing a regulation laying down harmonised rules on Artificial Intelligence. According to the currently agreed text, AI able to provide facial recgnition will be placed in the "high-risk technology" category. Its providers, importer, deployers or anyone offering a service will have to provide a proof of conformity with regulatory rules and to register the product with the EU.
This is not the place to provide details on the obligations. But notably, the real-time use of remote biometric identification systems in publicly accessible spaces by law enforcement will be restricted to a defined group of purposes, and only allowed under judicial oversight.
AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage will be banned completely.
See this page for information by a public interest group on content and process.