Clearview AI Fined by the Dutch Data Protection Authority
Clearview AI fined by The Netherlands for violating the General Data Protection Rule
By Dr. Christina Catenacci
Sept 6, 2024
Key Points:
Clearview AI was fined a significant amount of money for scraping the faces and biometric information of people on the Internet, and then not properly informing them that it had their data
If Clearview AI does not stop what it is doing, it will receive further fines of up to 5.1 million Euros on top of the 30.5 million Euro fine
It is important to note that Clearview AI is an American company that does not have an establishment in the EU—it just received a hefty fine anyhow, since some of the faces it scraped were photos of Dutch people. Thus, it is no surprise that the GDPR applied
Despite the fact that Clearview AI is an American company that does not have an establishment in the EU, the company has just received a hefty fine—about €30.5 million (plus up to €5.1 million fine if there is further noncompliance)—courtesy of the Dutch Data Protection Authority (DPA).
What happened?
Clearview AI is a commercial business that offers facial recognition services to intelligence and investigative services. In fact, it has acquired 30 billion photos of people (including photos of Dutch people). How has it accumulated so many images? It has scraped them from the Internet and converted each image to a unique biometric code. This of course, has been accomplished without obtaining the consent of the people whose faces were scraped.
According to Clearview AI, it provides its services to intelligence and investigative services outside the EU only. However, the DPA has concluded that Clearview AI is operating illegally.
In fact, since using the services of Clearview AI is also prohibited, the DPA has warned that Dutch organizations that use Clearview AI may expect serious fines as well.
What were the violations?
The DPA found that Clearview AI has violated the General Data Protection Regulation (GDPR).
The DPA has stated that the company never should have built its database in the first place. The following are the main violations by Clearview AI:
Collected and used facial images and biometric data
Insufficiently informed people who were in the database that the company had their data, and did not cooperate in requests for access to the information
Again, the DPA asked Clearview AI to stop doing these things. If it does not stop, there will be further fines of up to 5.1 million Euros—on top of the 30.5 million Euro fine.
What can we take from this development?
The message here is clear: Clearview AI has to stop doing what it is doing, and it will be the DPA that stops it. This conclusion about Clearview AI may be made in other jurisdictions too. Again, Article 3 of the GDPR deals with territorial scope and unequivocally states that the GDPR applies to the processing of personal data of data subjects who are in the EU where there is processing of personal data related to:
The offering of goods or services to data subjects in the EU (regardless of whether payment is required), or
The monitoring of the behaviour of data subjects where their behaviour takes place within the EU
DPA Chairman, Aleid Wilfsen stated:
“Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world…If there is a photo of you on the Internet – and doesn't that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China…This really shouldn't go any further. We have to draw a very clear line at incorrect use of this sort of technology”
Wilfsen pointed out that it was important for safety reasons to be able to detect criminals using the facial recognition technology, but he highlighted that this should not be done by commercial businesses. Rather, he noted that facial recognition should only be used by competent authorities and only in exceptional cases. For instance, the police can manage the software and database themselves—under the watchful eye of the DPA and other supervisory authorities.
There can be no appeal in this case because Clearview AI did not object to the decision.
The message is clear: collecting (in this case, scraping) sensitive data from the Internet and subsequently not informing individuals that the data is in their control is not going to work for businesses. In fact, companies that do this are likely to be fined considerably.