Ads
Clearview AI, the controversial U.S.-based facial recognition company, has recently faced its largest penalties under the General Data Protection Regulation (GDPR) in Europe. The company came under scrutiny for collecting over 30 billion images from the internet without permission to create a massive searchable database of pictures.
The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), fined Clearview AI €30.5 million for various GDPR violations after confirming that the database contained images of Dutch citizens. This fine surpasses the penalties imposed by other European countries such as France, Italy, Greece, and the U.K.
The AP also levied an additional €5.1 million penalty on Clearview AI for ongoing non-compliance, bringing the total fine to €35.6 million. The Dutch regulator initiated an investigation into Clearview AI in March 2023 following complaints from three individuals about the company’s data access practices. The GDPR grants EU citizens the right to access or delete their personal data, a right that Clearview AI allegedly ignored.
In addition to unauthorized data collection, Clearview AI is being penalized for unlawfully collecting biometric data to populate its database. The company has also been cited for transparency issues under the GDPR.
The AP stated that Clearview should not have created a database with photos, unique biometric codes, and other personal information without individuals’ consent. The regulator emphasized that collecting and utilizing face-derived unique biometric codes, akin to fingerprints, is illegal under GDPR regulations.
Despite the fines and sanctions, Clearview AI’s PR company, Resilere Partners, did not respond to media inquiries. The company’s chief legal officer, Jack Mulcaire, contested the penalties, claiming that Clearview AI does not have a physical presence in the Netherlands or the EU and therefore should not be subject to GDPR enforcement.
The Dutch regulator maintained that Clearview AI cannot appeal the penalties due to its lack of opposition. The GDPR applies to the processing of EU citizens’ personal data regardless of the company’s location.
Clearview AI primarily provides identity-matching services to government agencies and law enforcement using scraped data. The company’s clientele is less likely to be based in the EU, where violating privacy laws can lead to regulatory consequences.
The AP warned that Dutch organizations using Clearview AI’s services would face significant penalties for breaching GDPR regulations. The regulator stressed that using Clearview AI’s services would be considered unlawful, potentially resulting in heavy fines for businesses in the Netherlands.
In response to Clearview AI’s repeated GDPR violations, the Dutch AP is exploring measures to hold the company’s executives personally accountable for infractions. The agency is investigating whether corporate directors could be liable for GDPR violations and face penalties.
The move towards holding corporate management responsible for data protection violations highlights a growing trend in regulatory enforcement within the EU. As seen in the case of Telegram founder Pavel Durov’s arrest for disseminating illegal content, companies operating in Europe must adhere to data protection laws or face severe consequences.
By considering personal liability for GDPR violations, the Dutch AP aims to strengthen compliance and deter companies like Clearview AI from flouting privacy regulations. Holding directors accountable for breaches of the GDPR could have far-reaching implications for companies operating in the EU, compelling them to prioritize data protection and privacy compliance.
As Clearview AI continues to face scrutiny for its data practices, the Dutch regulator’s efforts to enforce GDPR regulations and potentially target company executives signal a shift towards greater accountability and responsibility in data protection governance.
