European Union regulators issued the first financial penalties under the AI Act on Friday, fining two security contractors a combined €42 million for operating biometric surveillance systems in public shopping districts without authorization. The European AI Office coordinated the action with national authorities in Germany and the Netherlands, signaling that high-risk AI rules now carry enforcement teeth beyond compliance notices.
Both companies deployed facial recognition cameras marketed as theft-prevention tools. Investigators found the systems processed biometric data on thousands of pedestrians daily, retained images beyond permitted windows, and lacked documented risk assessments required for high-risk classification. Officials said the violations continued for months after formal warnings in late 2025.
The Penalties
German regulators assessed €28 million against SecureVision GmbH for installations across four retail corridors in Düsseldorf and Hamburg. Dutch authorities fined Oranje Analytics €14 million for comparable deployments in Rotterdam. The amounts reflect 3 percent of global turnover, below the AI Act maximum of 7 percent, because both firms cooperated after proceedings began.
Neither company may deploy biometric identification in publicly accessible spaces for 18 months except under court order. They must delete unlawfully retained templates within 90 days and fund independent audits submitted quarterly to the AI Office.
Legal Basis
The AI Act prohibits real-time remote biometric identification in publicly accessible spaces for law enforcement except in narrowly defined emergencies. Commercial use faces stricter member-state rules; Germany and the Netherlands require explicit legislative authorization that neither vendor obtained.
Legal scholars said the cases establish precedent for treating retail surveillance networks as high-risk systems subject to conformity assessments, technical documentation, and human oversight logs. Vendors can no longer classify such products as low-risk analytics tools.
Industry Response
European retail associations distanced themselves from the penalized vendors, publishing guidance that members must conduct DPIAs — data protection impact assessments — before piloting camera analytics. Two major supermarket chains paused facial recognition trials in Poland and Spain pending legal review.
U.S. surveillance vendors with EU operations, including Verint and Axis Communications, said they would restrict biometric modules to markets with explicit statutory permission. Shares in smaller European facial recognition startups fell on the news, though none were charged.
Broader Enforcement Agenda
European AI Office director Lucilla Sioli said additional cases focus on employment screening algorithms and medical diagnostic tools missing required accuracy documentation. She declined to name targets but said letters of inquiry went to 14 organizations in April.
Companies deploying general-purpose AI with systemic risk must complete model evaluations by August under separate AI Act timelines. Friday's fines addressed an earlier tranche of rules governing prohibited and high-risk practices.
What Companies Should Do
Compliance officers are revisiting vendor contracts for indemnities and audit rights. Multinationals with EU revenue above €50 million face the highest exposure. Lawyers at Clifford Chance and Linklaters advised clients to map AI systems against Annex III high-risk categories before Q3 board reviews.
For pedestrians, the immediate effect is camera removal in the penalized districts. Longer term, the fines may accelerate Europe's divergence from markets where commercial biometric surveillance remains largely unregulated.
