- Clearview AI fined €30.5 million by Dutch data protection authority for GDPR breaches.
- A potential additional penalty of €5.1 million for continued non-compliance, totaling up to €35.6 million.
- Violations include unauthorized biometric data collection and failure to comply with data access requests.
- Clearview AI disputes the decision, claiming it is not subject to GDPR, but did not appeal the ruling.
- Dutch regulator exploring holding company directors personally liable for ongoing violations.
Main AI News:
Clearview AI, the controversial U.S.-based facial recognition company, has been hit with a significant privacy fine in Europe. The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), imposed a €30.5 million (around $33.7M) penalty for multiple violations of the EU’s General Data Protection Regulation (GDPR). It comes after the AP confirmed that Clearview’s database, built by scraping images from the internet without consent, includes photos of Dutch citizens. The fine is the largest Clearview has faced in Europe, surpassing penalties from France, Italy, Greece, and the U.K. in 2022.
The AP also announced an additional potential penalty of up to €5.1 million if Clearview AI disregards GDPR compliance, which could bring the total fine to €35.6 million. The investigation began in March 2023, triggered by complaints about Clearview’s failure to comply with data access requests. GDPR grants EU residents specific rights over their personal data, including access and deletion requests, which Clearview has ignored.
Key GDPR violations include the unauthorized collection of biometric data and transparency failures. The AP emphasized that Clearview AI’s creation of a database using biometric data, such as facial recognition codes, is prohibited under GDPR without a valid legal basis. The company also failed to notify individuals whose data was scraped.
Clearview AI disputes the penalty, arguing that it does not operate within the EU or conduct activities that would subject it to GDPR. However, the Dutch regulator noted that the company did not appeal the decision and remains subject to GDPR’s extraterritorial provisions, which apply to processing EU citizens’ data regardless of location.
While Clearview AI primarily markets its services to government agencies and law enforcement, it faces increasing regulatory challenges in the EU. The AP warned that Dutch organizations using Clearview’s technology could face substantial fines. Despite accumulating nearly €100 million in GDPR fines across Europe, Clearview has not altered its operations to comply with the law, paid any fines, or appointed an EU-based legal representative.
In response, the Dutch AP is exploring ways to hold Clearview AI’s directors personally liable for ongoing violations, which may compel the company to adhere to GDPR regulations.
Conclusion:
The hefty fines imposed on Clearview AI by the Dutch regulator signal a growing enforcement trend within the EU to protect citizens’ data rights, particularly against companies operating outside of Europe but impacting EU citizens. This action underscores the extraterritorial reach of GDPR and serves as a warning to other companies handling the personal data of EU residents. The potential move to hold company directors personally liable could set a precedent, pushing businesses to prioritize compliance more rigorously. For the market, this development may lead to increased scrutiny and legal challenges for companies involved in data processing, emphasizing the importance of robust data protection strategies.