NETHERLANDS DATA PROTECTION AUTHORITY IMPOSES €30.5 MILLION FINE ON CLEARVIEW AI FOR ILLEGAL COLLECTION OF BIOMETRIC DATA OF EU CITIZENS

Authored by Ms. Tanima Bhatia

Key highlights

  1. €30.5 Million Fine for GDPR Violations: The Netherlands Data Protection Authority fined Clearview AI €30.5 million for illegally collecting and processing biometric data of EU citizens without their consent, violating the GDPR.
  2. Invasive Technology and Non-Compliance: Clearview AI’s facial recognition technology, which scrapes billions of images from the internet, was found to be highly invasive of people’s privacy. The company also failed to inform individuals about the data collection and did not comply with GDPR data access requests.
  3. Clearview’s Controversial Stance: Despite the fines and ongoing violations, Clearview AI continues to operate, challenging the enforceability of the fines and denying its operations within the EU. The AP may hold Clearview’s directors personally liable, emphasizing the global importance of data privacy enforcement.

Clearview AI’s GDPR Violations

The Netherlands Data Protection Authority (AP) has levied a heavy fine of €30.5 million against U.S.-based facial recognition company Clearview AI. This decision came after the AP found Clearview to seriously violate the European Union’s General Data Protection Regulation (GDPR). Clearview AI built a database containing over 30 billion images scraped from the internet without any consent is at the center of growing global concerns over the misuse of facial recognition technology and the protection of personal privacy.

 

The Invasive Nature of Facial Recognition

Clearview AI offers facial recognition services primarily to law enforcement and intelligence agencies, enabling them to identify individuals from photos or video footage. However, the Dutch regulator made it clear that Clearview’s activities are illegal under the GDPR. Specifically, the collection and processing of biometric data—such as unique facial identifiers—without a legal basis constitutes a major breach of privacy laws.

Aleid Wolfsen, chairman of the AP, emphasized the invasive nature of such technology, stating, “Facial recognition is a very invasive technology that you can’t just unleash on everyone in the world. If a photo of you is on the internet—and who isn’t? —then you can end up in the Clearview database and be tracked. This is not a doomsday scenario from a scary movie.”

Lack of Transparency and Non-Compliance

The AP’s investigation uncovered that Clearview not only created its extensive database illegally but also failed to inform individuals that their biometric data was being collected and used. Furthermore, Clearview did not comply with GDPR-mandated data access requests, which allow EU residents to see what personal data companies possess of them and to request deletion of such data.

Despite the stern warnings of AP, and the imposition of the substantial fine, Clearview has not ceased its operations in the Netherlands. This has led the regulator to impose additional penalties, potentially raising the total fine to €35.6 million. The AP’s actions are part of a broader effort to ensure that companies operating globally respect European privacy laws, even if they are based outside the EU.

 

Clearview’s Response and the Future of Data Privacy

In response to the fine, Clearview’s chief legal officer, Jack Mulcaire, dismissed the AP’s decision as “unlawful, devoid of due process, and unenforceable,” arguing that the company does not operate within the EU or have any customers there. However, the GDPR’s extraterritorial jurisdiction as mentioned expressly in the act means that any processing of EU citizen’s data, regardless of the company’s location, falls under the scope of GDPR.

The situation in the Netherlands is not an isolated case for Clearview AI, as the company has faced similar fines in other European countries. Despite this, Clearview AI continues to operate largely unabated. The AP is now considering holding Clearview’s directors personally liable for ongoing violations, which could have significant implications for the future handling of data privacy by tech companies.

 

The Global Implications of the AP’s Actions

As the debate over facial recognition technology intensifies, this case serves as a stark reminder of the ethical challenges and potential risks posed by such tools. The AP’s firm stance on protecting individual privacy and enforcing GDPR principles sets a strong precedent for other regulators worldwide, signaling the importance of upholding data protection in the digital age.

References:

  1. https://autoriteitpersoonsgegevens.nl/actueel/ap-legt-clearview-boete-op-voor-illegale-dataverzameling-voor-gezichtsherkenning?mkt_tok=MTM4LUVaTS0wNDIAAAGVV9LTHIkAURUXflahTf8llwjv_XCnAc1btCrv3AHzCYHX6StFxJD8MPP_9OMqQCZ5s6rKVJMWdQNzhdtqd39W668JtofvtyqPxqR7xPtZoGtu
  2. https://techcrunch.com/2024/09/03/clearview-ai-hit-with-its-largest-gdpr-fine-yet-as-dutch-regulator-considers-holding-execs-personally-liable/
  3. https://apnews.com/article/clearview-ai-facial-recognition-privacy-fine-netherlands-a1ac33c15d561d37a923b6c382f48ab4#
  4. https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-on-clearview-because-of-illegal-data-collection-for-facial-recognition
  5. https://www.yourbigsky.com/news/business/ap-business/ap-clearview-ai-fined-33-7-million-by-dutch-data-protection-watchdog-over-illegal-database-of-faces/