Clearview AI, the controversial facial recognition startup, has been hit with its largest privacy fine in Europe. The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), imposed a penalty of €30.5 million on Clearview AI for multiple breaches of the European Union’s General Data Protection Regulation (GDPR). This fine surpasses previous GDPR sanctions imposed on Clearview AI in France, Italy, Greece, and the UK.
The AP has also ordered an additional penalty of up to €5.1 million if Clearview AI continues to ignore compliance with the GDPR. The investigation was initiated by the Dutch data protection authority in March 2023 following complaints from individuals regarding the company’s failure to comply with data access requests. The GDPR grants EU residents certain rights concerning their personal data, such as the right to request a copy of their data or have it deleted, which Clearview AI has not been honoring.
The violations for which Clearview AI is being sanctioned include building a database by collecting individuals’ biometric data without a valid legal basis and transparency failings in relation to the GDPR. The AP emphasized that Clearview AI should never have created a database with photos, unique biometric codes, and other linked information, as collecting and using biometric data is prohibited. Additionally, Clearview AI failed to inform individuals whose personal data was scraped and added to its database.
Clearview AI’s chief legal officer, Jack Mulcaire, argued that the company is not subject to the GDPR since it does not have a place of business or customers in the Netherlands or the EU. However, the GDPR has extraterritorial scope, applying to the processing of personal data of EU individuals regardless of where it takes place.
Clearview AI, based in the US, uses scraped data to sell an identity-matching service to customers, including government agencies and law enforcement. However, the company’s clients are increasingly unlikely to be from the EU due to the risk of regulatory sanctions. The AP warned that any Dutch entities using Clearview AI’s services would face hefty fines.
The AP is exploring ways to ensure Clearview AI complies with the law and is considering personal liability for the company’s directors. The regulator is investigating whether the directors can be held responsible for the GDPR violations. The AP emphasized that such a company cannot continue to violate the rights of Europeans without consequences. Holding the management of the company personally liable and imposing fines on them may increase the likelihood of compliance.
Considering recent events, such as the arrest of Telegram’s founder in France over illegal content on the platform, sanctioning the individuals managing Clearview AI may have a greater chance of driving compliance, as they may desire to travel freely within the EU.
Overall, Clearview AI’s significant privacy fine in Europe highlights the importance of GDPR compliance and the potential consequences for companies that fail to uphold individuals’ data rights. It also raises questions about the effectiveness of GDPR enforcement and the need to hold company directors personally accountable for privacy violations.