fbpx

Clearview AI Faces Record €30.5 Million GDPR Fine in the Netherlands

Clearview AI, the U.S.-based facial recognition company notorious for its vast, unauthorized database of images scraped from the internet, has been hit with its largest General Data Protection Regulation (GDPR) fine yet in Europe. The Dutch data protection authority, Autoriteit Persoonsgegevens (AP), announced a €30.5 million penalty for multiple breaches of GDPR, as the database was found to contain images of Dutch citizens.

Largest GDPR Fine to Date

This hefty fine surpasses previous GDPR sanctions imposed by data protection authorities in France, Italy, Greece, and the U.K. back in 2022. Alongside the primary penalty, the Dutch regulator has issued an additional fine of up to €5.1 million if Clearview AI continues its non-compliance, potentially raising the total penalty to €35.6 million.

The AP’s investigation into Clearview AI began in March 2023, prompted by complaints from three individuals who reported the company’s non-compliance with GDPR data access requests. The GDPR grants EU residents rights to access their personal data and request its deletion—rights that Clearview AI has reportedly ignored.

Violations and Lack of Transparency

The core violations for which Clearview AI is being sanctioned include creating a database using biometric data without a valid legal basis and failing to meet GDPR transparency requirements. The AP emphasized, “Clearview should never have built the database with photos, the unique biometric codes, and other information linked to them.” These face-derived biometric codes, akin to fingerprints, are considered sensitive data under GDPR, and their collection is heavily restricted.

Clearview AI also failed to inform individuals that their personal data was being collected and added to its database. The Dutch regulator’s ruling indicates that the company has shown blatant disregard for GDPR’s extraterritorial provisions, which protect the personal data of EU residents regardless of where the data processing occurs.

Also Read:  Harvard Releases Massive Free AI Training Dataset, Reports Wired

Clearview AI’s Response

Clearview’s stance on the matter is clear, as articulated by its chief legal officer, Jack Mulcaire. In a statement shared by spokesperson Lisa Linden, Mulcaire argued, “Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.” He further described the Dutch regulator’s decision as “unlawful, devoid of due process, and unenforceable.”

The AP, however, maintains that the GDPR’s scope is broad and applies to the processing of personal data of EU residents, regardless of where the processing entity is based. Clearview’s refusal to cooperate or appoint a legal representative in the EU complicates enforcement, but the Dutch regulator remains firm in its stance.

Warning to Potential Users

The Dutch authority has issued a stern warning to any Dutch organizations considering the use of Clearview AI’s services. Aleid Wolfsen, chairman of the Dutch DPA, stated, “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organizations that use Clearview may therefore expect hefty fines from the Dutch DPA.” This warning extends to any use of Clearview’s technology by Dutch entities, signaling the regulator’s commitment to upholding privacy rights.

Personal Liability for Executives?

Clearview AI has accumulated approximately €100 million in GDPR fines across Europe, yet regional data protection authorities have struggled to collect these penalties or compel compliance. The company continues to operate with what appears to be operational impunity due to its U.S. base.

Also Read:  Anti-AI: Honoring Human Craftsmanship in the Digital Age

In response to this ongoing non-compliance, the Dutch AP is exploring new strategies, including the possibility of holding Clearview AI’s executives personally liable for GDPR violations. Wolfsen stated, “Such a company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale.” He added that personal liability could be pursued if it’s found that the company’s directors were aware of GDPR violations and had the authority to prevent them but failed to act.

Looking Ahead

As the debate over privacy rights and data protection intensifies, Clearview AI’s ongoing defiance of GDPR regulations serves as a test case for how far European regulators can go in enforcing their rules against foreign companies. The outcome of the Dutch regulator’s actions could set a precedent not just for Clearview AI but for any company handling the personal data of EU citizens without adhering to stringent European privacy standards.

The EU’s determination to protect the data rights of its citizens against unauthorized use and its willingness to explore holding corporate executives personally accountable underscore the importance of compliance. For now, the tech industry watches closely as Clearview AI faces mounting legal challenges, not only from fines but potentially from direct accountability of its top executives.

AI was used to generate part or all of this content - more information