Not only the EU, but you will have to check with each of the 50 US states as they all have a patchwork of laws. Illinois was one of the first, but I don't know much about it; I thought I read it was pretty extensive to the point some facial recognition companies specifically exclude it. Texas also has its own version as well, that I know of; again don't know details.

You might want to look up Clearview AI, who also took publicly available images, performed biometric recognition on them and ended up with a €30.5 million fine: https://blog.barracuda.com/2024/10/23/clearview-ai-fine-gdpr...

The GDPR works on the personally-identifiable vs anonymous distinction. Private vs public doesn't really factor into it, or at least only becomes relevant in the nuances.

Personally identifiable data is just a mouthful, which is why people like to misleadingly shorten it to private data.