Clearview AI, the controversial US-based facial recognition startup that harvested selfies from the internet without people's consent and built a searchable database of 30 million images, has been hit with Europe's largest ever privacy fine.
Dutch data protection authority Autoriteit Persoonsgegevens (Associated Press) announced Tuesday that it had fined Clearview AI 30.5 million euros (about $33.7 million at current exchange rates) for a series of violations of the European Union's General Data Protection Regulation (GDPR) after finding that the database contained images of Dutch citizens.
The fine is higher than the GDPR fines imposed individually by data protection authorities in France, Italy, Greece and the UK in 2022.
The AP said in a press release that it had issued the additional order because Clearview had not stopped violating the GDPR after the investigation was completed, and warned that it would face additional fines of up to 5.1 million euros if the violations continued. If Clearview AI continues to ignore Dutch regulators, the total fines could reach 35.6 million euros.
The Dutch Data Protection Authority launched an investigation into Clearview AI in March 2023 after receiving complaints from three individuals related to the company's failure to comply with data access requests. The GDPR gives EU residents a set of rights regarding their personal data, including the right to request a copy of their data or to have it deleted. Clearview AI has not complied with these requests.
Other GDPR violations for which the AP has sanctioned Clearview AI include the notable violation of collecting people's biometric data and building a database without a valid legal basis. The company has also been sanctioned for GDPR transparency deficiencies.
“Clearview should never have built a database containing photos, unique biometric codes and other information linked to them,” the AP wrote. “This is especially true for [face-derived unique biometric] codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.”
According to the ruling, the company also failed to notify individuals whose personal data had been scraped and added to its database.
When reached for comment, Clearview representative Lisa Linden of Washington, DC-based PR firm Resilere Partners did not respond to questions but emailed TechCrunch a statement that she said was from Clearview's chief legal officer, Jack Mulcaire.
“Clearview AI has no establishments in the Netherlands or the EU, no customers in the Netherlands or the EU, and does not conduct activities that would be subject to the GDPR,” Mulkaire wrote, adding that “the decision is unlawful, lacks due process, and is unenforceable.”
The Dutch regulator said the company cannot appeal the fine because it did not challenge the decision.
It is also worth noting that the GDPR has extraterritorial scope, meaning it applies to the processing of personal data of EU people regardless of where that processing takes place.
US-based Clearview uses scraped data on people to sell identity matching services to clients including government agencies, law enforcement and other security services. But its clients are increasingly unlikely to be from the EU, as its use of the technology in violation of privacy laws risks regulatory sanctions, which is what happened to a Swedish police department in 2021.
The Associated Press warned of heavy sanctions for any Dutch organisations wanting to use Clearview AI: “Clearview has violated the law, which makes the use of Clearview's services illegal. Dutch organisations using Clearview may therefore face heavy fines from the Dutch DPA,” wrote Aleid Wolfsen, chairman of the Dutch DPA.
The English version of the AP decision can be accessed at this link .
Personal responsibility?
Clearview AI has faced numerous GDPR penalties over the past few years (on paper, EU privacy fines totalling around €100 million), but local data protection authorities don't seem to have had much success collecting those fines: the US-based company remains uncooperative and has not appointed a legal representative in the EU.
More importantly, Clearview AI has not changed its GDPR-violating behavior. The company continues to ignore European privacy laws while apparently enjoying operational immunity because it is based elsewhere.
The Dutch Associated Press said it was concerned about this and was looking into ways to stop Clearview from violating the law. Regulators are investigating whether the company's directors can be held personally liable for violations.
“Companies like this cannot continue to violate European rights and go unpunished, especially in such a serious and large scale way. We are currently investigating whether we can hold management personally liable and fine them for directing these violations,” Wolfsen wrote. “Where directors knew about and had the power to stop GDPR violations but failed to do so, and thus knowingly tolerated violations, then liability already exists.”
With the recent arrest of Pavel Durov, founder of messaging app Telegram, in France for allegedly spreading illegal content on the platform, it will be interesting to consider whether imposing sanctions on Clearview administrators could encourage them to comply – after all, they may want to travel freely in and across the EU.