The Netherlands has one of Europe's sharpest records on facial recognition enforcement. In September 2024, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) fined Clearview AI €30.5 million for illegally building a database of scraped biometric photos and making it available for law enforcement identification. AP chairman Aleid Wolfsen stated plainly that "facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world" and warned Dutch organisations using Clearview to expect hefty fines.
But that enforcement posture sits awkwardly beside a quieter domestic reality. For nearly a decade, Dutch police have operated the CATCH (Central Automated Technology for Recognition) facial recognition system—and alongside its legitimate criminal suspects database, police have accessed a parallel repository of approximately 8 million photos belonging to around 6.5 million non-EU nationals who registered for residency, work, or study in the Netherlands. Legal experts have argued for years that this arrangement lacks a proper statutory basis. With the EU AI Act's full high-risk compliance deadline arriving on August 2, 2026—roughly six weeks away—the Netherlands now faces a reckoning it can no longer defer.
How CATCH Operates
CATCH compares facial images from surveillance cameras or bystander footage against a database of criminal suspects and convicted individuals. It is a retrospective tool: police do not scan crowds in real time but compare incident imagery against a database after a crime. Use requires judicial authorization and is confined to serious offences—sexual violence, attempted murder, severe assault, weapons trafficking, and drug-related crimes.
The system has demonstrated operational value. In 2023, CATCH helped identify 424 suspects from roughly 1,693 submitted images. That track record provides the strongest argument for the technology: a judicially supervised, case-by-case tool contributing to investigations of serious crimes.
The 6.5 Million Non-EU Nationals Problem
There lies the contradiction. Alongside the criminal database, Dutch police have had access to a second dataset: the immigration administration's registry of biometric photos collected from non-EU nationals upon arrival for residence permits, asylum applications, or student visas. This database contains approximately 8 million photos of around 6.5 million people—not suspects, not convicted persons, but expats, international students, and asylum seekers who arrived lawfully.
A significant portion of those 6.5 million are nationals from Asia—Chinese, Indian, Indonesian, Philippine, and South Korean nationals who moved to the Netherlands for work, study, or protection. Utrecht University immigration law expert Evelien Brouwer has argued that "there is no specific legal basis for police use of facial images as registered in the foreigners' registry" and that the practice constitutes discrimination: innocent foreigners are treated the same as suspects purely on the basis of their non-EU origin. Privacy researcher Koen Vermissen noted the database disproportionately targets "a group with a higher percentage of people of colour than the general Dutch population."
The gap between the database's size and its actual use underscores the legal tension. Dutch police accessed the foreigners' registry for criminal investigations just twice in 2022—each time with judicial permission. The data exists at scale but is rarely deployed precisely because police understand its legal foundations are contested.
The Clearview Parallel
The Netherlands' enforcement action against Clearview AI reveals the standard regulators apply to others. Clearview's violation was, in essence, doing what the foreigners' registry arrangement arguably does: compiling biometric data on innocent people without a specific legal basis and making it available for identification searches. The AP found no GDPR-lawful basis for this, fined Clearview €30.5 million, added a €5 million non-compliance surcharge, and warned Dutch organisations that using Clearview's services was itself illegal.
If building a biometric identification database of non-consenting individuals without clear statutory authority violates GDPR when a US company does it, the question of what legitimises the same practice when the state does it has never been convincingly answered.
What the EU AI Act Now Requires
The EU AI Act (Regulation 2024/1689) drew a careful distinction between types of law enforcement facial recognition. Article 5 banned real-time remote biometric identification in publicly accessible spaces for law enforcement with narrow exceptions—preventing imminent threats to life, finding trafficking victims, locating suspects in serious offences. That prohibition took effect in February 2025.
Retrospective facial recognition—exactly what CATCH represents—is not banned but is classified as high-risk. From August 2, 2026, Member States must ensure these systems meet demanding conditions: binding judicial or administrative authorisation for each use, a mandatory fundamental rights impact assessment, registration in the EU's central AI database, and full documentation requirements. Member States may only deploy retrospective facial recognition systems if they have updated national laws to satisfy the AI Act's requirements.
The Netherlands closed public consultation on its draft AI Act implementation law (Uitvoeringswet AI-verordening) on June 1, 2026. That draft assigns supervisory authority to the AP for biometrics and law enforcement AI—but takes a deliberately "pure and low-burden" approach, adding no substantive rules beyond the EU baseline. The hard question of whether the foreigners' database can satisfy the AI Act's new legal-basis requirements falls directly on police and prosecutors to resolve before August 2.
Asia's Opposing Trajectory
The Netherlands' tightening framework contrasts sharply with Asia-Pacific, where facial recognition is expanding. Singapore has deployed it broadly at Changi Airport. South Korea is mandating biometric verification for new mobile phone registrations. China leads globally in deployment across government and commercial infrastructure. Many of those 6.5 million people held in the Netherlands' contested database are nationals of exactly these jurisdictions—individuals who moved from high-surveillance environments, only to find their biometric data enrolled in a European police system that cannot meet Europe's own legal standards.
Proportionality Must Cut Both Ways
There is a credible case for retrospective facial recognition in serious crime investigations. CATCH's judicially authorised, case-by-case model is materially different from real-time crowd scanning, and the 424 suspect identifications in 2023 represent genuine investigative value. That model—properly legislated—can be defended on proportionality grounds.
What cannot be defended is the foreigners' registry attachment: treating lawful residency documentation as automatic enrolment in a police biometric identification system, without any specific statutory authority, without subject notification, and applied exclusively to non-EU nationals. The AP holds foreign companies to a standard the Dutch state has not yet applied to itself.
The August 2, 2026 deadline is an opportunity, not just a compliance burden. The Netherlands can formally authorise its legitimate law enforcement facial recognition uses through legislation—and simultaneously sever the legally unsupported link to the foreigners' registry. That is what proportionate, evidence-based regulation looks like when it is applied consistently.