Clearview AI has recently been hit with a fine of €20 million for violating the principles of lawfulness and transparency.
A civil non-profit organisation, “Homo Digitalis” lodged a complaint against Clearview AI Inc., a facial recognition company which developed its database by scraping individuals’ images from across the web. This was lodged on behalf of a complainant, with the Greek DPA. This complaint was relating to the data subject’s right of access. The individual complained that they were dissatisfied with the right of access they were able to exercise with the company. In lodging the complaint, the organisation also requested that the general practices of the company be examined with regards to personal data protection. This investigation resulted in a fine of €20 million, due to several GDPR violations.
The investigation into Clearview AI’s practices relating to data protection revealed multiple GDPR violations.
The Greek DPA’s investigation into Clearview AI’s practices, specifically regarding data protection, revealed multiple GDPR violations.
The Authority found that the company violated the principles of lawfulness and transparency which are covered in Articles. 5 (paragraphs 1(a) and (2)), 6, 9 of the GDPR. Article 5(1)(a) of the GDPR states that personal data should be “processed lawfully, fairly and in a transparent manner in relation to the data subject…”. The principle of accountability was also violated as Article 5(2) states that a “controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.” Article 6 details the requirements for legal basis for collection and processing of personal data, and Article 9 covers specifically the processing of special categories of data. In addition, the Authority also found that the company neglected its obligations under Articles 12, 14, 15 and 27 of the GDPR. These numerous violations resulted in the company being hit with a €20 million fine.
The Greek DPA imposed a fine of €20 million οn Clearview AI Inc, as well as a prohibition on the collection and processing of personal data.
In addition to a fine of €20 million, the Greek DPA ordered the company to comply with the GDPR in a manner that allows it to satisfy the complainant’s request for access to their personal data. Furthermore, the Authority placed a prohibition on the company, on the collection and processing of personal data of subjects located within the Greek territory, using facial recognition technology. The Greek DPA has also ordered Clearview AI Inc. to delete all personal data relating to those subjects located in Greece, which the company collects and processes using facial recognition technology.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.