Clearview AI, the controversial U.S.-based facial recognition startup, has been hit with its largest privacy fine in Europe, totaling €30.5 million (approximately $33.7 million at current exchange rates), from the Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP). This penalty is a result of multiple breaches of the European Union’s General Data Protection Regulation (GDPR).
The AP’s fine is notably larger than the sanctions imposed by data protection authorities in France, Italy, Greece, and the UK in 2022. The decision includes an additional penalty of up to €5.1 million for continued non-compliance, potentially raising the total fine to €35.6 million if Clearview AI ignores the Dutch regulator’s orders.
Key GDPR Violations and Fine Details
The Dutch data protection authority initiated an investigation into Clearview AI in March 2023 following complaints from three individuals regarding the company’s non-compliance with data access requests. Under GDPR, EU residents have the right to request a copy of their data or have it deleted. Clearview AI was found to have failed to comply with these rights.
Other GDPR violations include:
-
Building a Database Without a Valid Legal Basis: Clearview AI is accused of constructing a database by collecting people’s biometric data (including unique biometric codes) without a lawful basis. The AP emphasizes that collecting and using such data is prohibited, with exceptions that Clearview AI cannot claim.
-
Lack of Transparency: The company was also sanctioned for failing to inform individuals whose personal data it scraped and included in its database.
Clearview AI’s Response
A representative for Clearview AI, Lisa Linden, of the Washington, D.C.-based PR firm Resilere Partners, did not respond to questions but sent TechCrunch a statement attributed to the company’s chief legal officer, Jack Mulcaire. Mulcaire’s statement argues that Clearview AI does not have a place of business in the Netherlands or the EU, does not have any customers in these regions, and does not undertake activities that would subject it to GDPR. Mulcaire further claims that the decision is unlawful, lacks due process, and is unenforceable.
Implications and Further Actions
As Clearview AI failed to object to the decision, it cannot appeal the penalty. The GDPR’s extraterritorial nature means that it applies to the processing of personal data of EU citizens, regardless of where the processing occurs. The AP’s decision highlights the strict enforcement of GDPR principles, particularly regarding the protection of biometric data and the rights of EU citizens to access and control their personal information.
Views: 0