Autoriteit Persoonsgegevens is the latest Data Protection Authority (DPA) in Europe to fine Clearview AI for violating multiple articles of EU GDPR, including illegally collecting data for facial recognition. The Dutch regulator has imposed a fine of €30.5m ($33.7m) and orders subject to a penalty for non-compliance up to more than €5m ($5.5m) if the company does not cease violations of EU GDPR.
The American company, which offers facial recognition services, has built up an illegal database with over 30 billion photos of faces, including of Dutch people, without consent. The company scraps images automatically from the internet, then converts them into a unique biometric code per face.
“Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world,” said Dutch DPA chairman Aleid Wolfsen. “If there is a photo of you on the Internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China.”
Multiple GDPR violations
According to the Dutch DPA, Clearview has said it will only provide its services to intelligence and investigative services outside the European Union. Which Wolfsen said is “bad enough as it is.” He continued: “This really shouldn’t go any further. We have to draw a very clear line at incorrect use of this sort of technology.”
According to the authority, Clearview “seriously violated privacy law GDPR” on multiple occasions. It said the company shouldn’t have built the database, and that it is insufficiently transparent, especially around the biometric codes, which the DPA said are biometric data as much as fingerprints are.
“This is not a doom scenario from a scary film. Nor is it something that could only be done in China.”
Aleid Wolfsen, chairman, Dutch DPA
The company was also found to be failing to cooperate when people in the database requested access to their data.
Clearview has not stopped the violations after the Dutch DPA’s investigation. Failure to comply means another fine of €5m ($5.5m) will be issued on top of the €30.5m ($33.7m) already levied.
According to the DPA, Clearview violated these EU GDPR Articles:
- Article 5(1), opening words and subsection (a), read in conjunction with Article 6(1), for the ‘Clearview for law-enforcement and public defenders’ service.’
- Article 9(1), by processing a special category of personal data (biometric data) of data subjects who are within the territory of the Netherlands.
- Article 12(1), read in conjunction with Article 14(1) and (2), and contrary to Article 5(1), opening words and subsection (a) for not adequately informing data subjects.
- Article 12(3), read in conjunction with Article 15, by not responding to two access requests by data subjects.
- Article 12(2), read in conjunction with Article 15, for not facilitating data subjects within the territory of the Netherlands in exercising their right of access.
The fact that Clearview does not have a designated a representative in the European Union within the meaning of Article 4, opening words and paragraph 17 GDPR, even though it is obliged to do so in line with Article 27(1), also “constitutes a violation of the GDPR.” However the Dutch DPA refrains from imposing a fine here as Clearview has already been fined for this violation by the Italian and the Greek Data Protection Authorities.
Illegal to use Clearview services
Wolfsen acknowledges the importance of safety and detection of criminal activity, but adds that this sort of data collection should not be made by commercial businesses, only by competent authorities in highly exceptional cases.
“The police, for example, have to manage the software and database themselves in that case, subject to strict conditions and under the watchful eye of the Dutch DPA and other supervisory authorities,” he said.
Wolfsen also warns about using the company’s services. “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organisations that use Clearview may therefore expect hefty fines from the Dutch DPA.”
Besides fining the company and trying to stop the violations, the Dutch DPA is also looking into whether the company’s directors can be held personally responsible for the violations.
“Such companies cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations,” said Wolfsen.
“That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”
Clearview has not objected to this decision and cannot therefore appeal the fine.
Italian and Greek fines
Clearview was fined €20m ($22m) in March 2022 by Garante per la protezione dei dati personali, the Italian DPA, over alleged biometric monitoring techniques of Italian individuals. It was found to be both holding and processing biometric and geolocation information illegally.
Later in July the company was also fined €20m ($22m) by the Greek DPA, Hellenic, for violating the principles of lawfulness and transparency regarding GDPR.