The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), has imposed a fine of €30.5m on Clearview AI, accusing it of illegally collecting data for facial recognition. The fine addresses the US-based facial recognition company’s creation of a vast database containing billions of images, including those of Dutch citizens.
Clearview AI, which offers facial recognition services to intelligence and investigative agencies, has built a database of over 30 billion images scraped automatically from the internet. These images are used to generate unique biometric codes for facial recognition, all done without the knowledge or consent of the individuals involved.
Clearview’s ongoing facial recognition battles
The Dutch data protection watchdog found that Clearview AI had committed multiple serious breaches of the European Union (EU)’s General Data Protection Regulation (GDPR). Key among these violations is the illegal collection and use of biometric data. According to GDPR, the collection of such sensitive data is strictly regulated, and Clearview AI does not meet any of the statutory exceptions that would permit such activity.
In addition to the illegal data collection, Clearview AI was also found to be insufficiently transparent in informing individuals that their images and biometric data had been collected and stored in its database. Individuals have the right to access their personal data and the US company has consistently failed to comply with requests for data access, said Autoriteit Persoonsgegevens.
Following its investigation, the Dutch regulator ordered Clearview AI to cease its GDPR violations. If the company fails to comply, it will face additional penalties of up to €5.1m in addition to the imposed fine. The Dutch data protection authority is exploring further measures to enforce compliance, including investigating the possibility of holding the company’s directors personally responsible for the ongoing violations.
In response to the regulator’s decision, Clearview AI’s chief legal officer told Reuters that the firm did not recognise the AP’s jurisdiction over its operations. “Clearview AI does not have a place of business in the Netherlands or the European Union, it does not have any customers in the Netherlands or the EU,” said Jack Mulcaire. “[Clearview AI] does not undertake any activities that would otherwise mean it is subject to the GDPR (the EU’s General Data Protection Regulation). This decision is unlawful, devoid of due process and is unenforceable.”
For its part, Autoriteit Persoonsgegevens issued a warning to any Dutch entities considering the use of Clearview AI’s services, emphasising that doing so would be in violation of GDPR and subject to penalties. “Such a company cannot continue to violate the rights of Europeans and get away with it,” said AP’s chairman Aleid Wolfsen. “We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations.
“That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”
Autoriteit Persoonsgegevens’ investigation into Clearview AI began in March 2023 after receiving complaints from three individuals regarding the company’s non-compliance with data access requests.
Clearview AI has been subject to fines from various other data protection authorities across Europe. In 2022, the UK’s Information Commissioner’s Office (ICO) fined Clearview AI £7.5m for collecting and storing images of UK citizens for use in its software. The ICO also issued a banning order which will stop the company from obtaining information about UK residents in future and ordered it to delete all the offending records from its database.
During the same period, the facial recognition company was also hit by penalties from data protection authorities in France, Italy, and Greece.
France’s Commission Nationale de l’informatique et des Libertés (CNIL), Greece’s Hellenic Data Protection Authority, and Italy’s Garante per la Protezione dei Dati Personali fined Clearview AI €20m each.
Written by Refna Tharayil