Clearview AI faces a punishment of 30.5 million euros from the Dutch DPA for Illegal Facial Recognition Data Collection.

Clearview AI faces a punishment of 30.5 million euros from the Dutch Data Protection Authority (AP) and up to 5 million euros in penalty payments. The US based company provides services using its facial recognition capabilities to investigative and intelligence agencies. Customers of Clearview can supply camera photos to identify individuals seen in the image. Over the past few years, the company has been fined by several other European DPAs including that of Italy, Greece and France.  Clearview provides facial recognition software through its database containing billions of images of faces, including those of Dutch individuals. These images are automatically scraped from the internet, and afterwards transformed into a distinct biometric code for each face. The database contains images, related unique biometric codes, and other data. Similar to fingerprints, these are biometric data. It is not permitted to gather or utilise these without consent. Although this rule has certain legal exceptions, Clearview cannot rely on these legal exceptions. This is all done without the knowledge or approval of the affected individuals. Clearview’s claim is that it only provides services to intelligence and investigation services outside the EU. 

The Dutch DPA warns that the use of Clearview’s AI technology violates the GDPR, and urges organisations to avoid using the corporation’s services. 

There are multiple major violations of the General Data Protection Regulation (GDPR) by Clearview. Firstly, the development of such a database by the corporation violates the GDPR. In addition, the collection of data to build the database does not satisfy the transparency requirements under the GDPR. People in the database are not adequately informed by Clearview about the use of their biometric and photo data by the corporation. According to the GDPR, upon request, Clearview has to disclose to individuals what information it possesses about them within this database. However, Clearview refuses to, and is quite possibly unable to comply with access requests. Chairman of the Dutch DPA Aleid Wolfsen says ‘Facial recognition is a very invasive technology that you can’t just unleash on everyone in the world.” While the chairman acknowledges the importance of security and the detection of criminals by official bodies, and that techniques such as facial recognition can help in achieving this, he expresses concern over the fact that this is being facilitated by a commercial company. Wolfsen warns organisations to avoid using Clearview’s services. ‘Clearview violates the law and using Clearview’s services is therefore illegal. Dutch organisations that use Clearview can therefore expect hefty fines from the AP.’ Wolfsen says.

The Dutch DPA has issued an injunction against Clearview AI and ordered the corporation to put an end to these infractions, while considering other methods of preventing the company’s unlawful data collection and use of AI software. 

Following the AP’s investigation, Clearview did not halt the infractions. The Dutch DPA has therefore issued an injunction to stop these infractions. In addition to the sanctions, Clearview faces penalty payments of up to 5.1 million euros if it fails to comply. Despite prior fines from other European privacy agencies, Clearview does not appear to have altered its conduct. The AP is therefore considering strategies to guarantee that Clearview halts the infractions. Among other things, AP is looking into the possibility of holding the directors of the corporation personally accountable for the infractions. Clearview has not objected to the decision from AP and therefore cannot appeal the fine. Wolfsen, the chairman of the Dutch DPA says: ‘Such a company cannot continue to violate the rights of Europeans with impunity. Certainly not in this serious and massive way. We will now investigate whether we can hold the management of the company personally liable and fine them for directing these violations. This liability also exists if directors know that the GDPR is being violated, are authorised to stop it but fail to do so and thus consciously accept these violations.’

Elevate your data protection standards with Aphaia. Schedule a consultation, and embark on a journey toward strengthening security, GDPR compliance, and the peace of mind that comes with knowing your data protection is in expert hands. Contact Aphaia today.