On 16 May 2024, the Dutch Data Protection Authority (AP) imposed a fine of €30.5 million on Clearview AI, a U.S. company that offers facial recognition services. Clearview built a vast database of over 30 billion images, scraped from publicly accessible online sources, and converted these into biometric data. This practice violates the GDPR because Clearview lacked a lawful basis for processing such sensitive data.
Key Violations
-
- Unlawful data collection: Clearview collected images, including from Dutch citizens, without consent and without informing the data subjects.
-
- Lack of transparency: The company failed to adequately inform individuals about the usage of their personal data and did not respond to access requests.
-
- Biometric data processing: Clearview’s use of biometric data, such as unique facial vectors, is prohibited unless statutory exceptions apply, none of which were valid in this case.
In addition to the fine the AP also ordered Clearview AI to:
-
- end the processing of personal data of data subjects who are in the Netherlands and remove the personal data that Clearview AI unlawfully obtained, threatening additional penalties of up to €5.1 million for non-compliance;
-
- provide data subjects in the Netherlands with the information as referred to in Article 14 of the GDPR in a concise, transparent, intelligible, and easily accessible form;
-
- end its policy of not responding to access requests by data subjects who are in the Netherlands; and
-
- designate a representative in the EU in writing.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the intrusiveness of facial recognition technology, cautioning that any Dutch organization using Clearview’s services could face significant fines. Wolfsen also mentioned that the Dutch DPA is exploring legal avenues to hold Clearview’s management personally accountable for the continued violations.
Clearview cannot appeal this decision, further solidifying the consequences of its unlawful data practices within the European Union. However, it is still to be seen how this sanction can be enforced – this is the first time an EU data protection authority will try to enforce a sanction on a company not established in that country.
The press release and the decision, both in English, can be found here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
