In a significant development, Clearview AI, a US-based facial recognition startup, has been hit with its largest GDPR fine to date. The Dutch data protection authority, Autoriteit Persoonsgegevens (AP), has imposed a €30.5 million penalty on the company for violating the General Data Protection Regulation (GDPR). This fine surpasses previous sanctions imposed in France, Italy, Greece, and the UK, marking a substantial blow to the company’s operations.
Key Breaches and Their Consequences
The AP’s decision follows the confirmation that Clearview’s database, which is populated by scraping the internet for people’s selfies without consent, contains images of Dutch citizens. This is a significant breach of GDPR, which aims to protect individuals’ privacy and ensure the proper handling of personal data.
GDPR Violations
-
Data Collection Without Consent: Clearview AI has been accused of collecting biometric data, including unique biometric codes derived from facial images, without a valid legal basis. This is a clear violation of GDPR rules, which prohibit the collection and use of biometric data unless there are specific exceptions.
-
Lack of Transparency: The company has also been found to have failed to inform individuals whose data was scraped and added to its database, another critical GDPR requirement.
Further Penalties and Compliance
The Dutch data protection authority has not only levied a significant fine but has also ordered an additional penalty of up to €5.1 million for continued non-compliance. This means the total potential fine could reach €35.6 million if Clearview AI continues to ignore the Dutch regulator’s orders.
Legal Response and Challenges
Clearview AI’s representative, Lisa Linden, of the Washington, D.C.-based PR firm Resilere Partners, has stated that the company does not have a place of business in the Netherlands or the EU, nor does it have any customers or undertake activities that would subject it to GDPR. The company’s chief legal officer, Jack Mulcaire, has argued that the decision is unlawful, devoid of due process, and unenforceable.
GDPR’s Extraterritorial Reach
Despite the company’s claims, it’s important to note that GDPR’s extraterritorial scope means it applies to the processing of personal data of EU residents, regardless of where the processing takes place. This extends the regulatory reach to Clearview AI, despite its US-based operations.
Impact on Clearview AI’s Business
This fine and the associated penalties could have significant repercussions for Clearview AI’s business, especially given its reliance on European data for its services. The company’s ability to comply with GDPR requirements and the potential for further legal challenges will be critical for its future operations.
Conclusion
The GDPR fine against Clearview AI highlights the stringent nature of EU data protection laws and the consequences for non-compliance. This case serves as a reminder for companies operating globally to ensure they adhere to the GDPR’s requirements, particularly in their handling of biometric data and their obligations to inform and respect individuals’ privacy rights.
Views: 1