Clearview AI, the U.S.-based facial recognition firm that garnered criticism for creating a huge, searchable image database by harvesting internet-posted selfies without user permission, has now been slapped with its heftiest privacy-related fine in Europe to date.
The Dutch privacy watchdog, Autoriteit Persoonsgegevens (AP), announced on a recent Tuesday that it has levied a €30.5 million fine (equivalent to about $33.7M) against Clearview AI for multiple violations of the EU’s General Data Protection Regulation (GDPR), following the discovery that Dutch citizens’ photos were included in its database.
This penalty exceeds those earlier GDPR fines imposed on the company by data protection bodies in France, Italy, Greece, and the U.K. during 2022.
In a public statement, the AP has also mentioned an additional fine up to €5.1M for ongoing non-compliance. The total fine could reach €35.6M if Clearview AI continues to overlook the directives of the Dutch authority.
Investigations into Clearview AI by the Dutch data protection body commenced in March 2023 after receiving complaints from individuals about the company’s non-compliance with GDPR data access requests. The GDPR grants European citizens rights concerning their personal data, including requesting copies or deletion of their data, rights that Clearview AI has not been honoring.
The sanctions against Clearview AI by the AP also address serious GDPR infringements, notably the illicit compilation of a database using individuals’ biometric data without legal justification and failings in GDPR transparency requirements.
“The assembly of the database using photos, unique biometric identifiers, and related information was unequivocally irresponsible,” stated the AP. “Such codes, akin to fingerprints, constitute biometric data. Their collection and usage are generally banned, with Clearview failing to meet exceptions that would justify their actions.”
Furthermore, the firm neglected to notify individuals whose data it had collected, according to the ruling.
When reached for a reaction, Clearview’s spokesperson, Lisa Linden from the PR firm Resilere Partners in Washington, D.C., forwarded a statement from Clearview’s chief legal officer, Jack Mulcaire, but chose not to comment directly. Mulcaire contested the decision, stating, “Clearview AI operates neither a business nor customer base in the Netherlands or the EU, nor engages in activities falling under GDPR regulations,” labeling the decision as “unlawful, lacking due process, and unenforceable.”
The Dutch regulator maintains that Clearview AI has no grounds for appeal against the fine, as it did not contest the decision.
Significantly, the extraterritorial nature of the GDPR means it covers the processing of EU citizens’ personal data regardless of where the processing occurs.
Operating out of the U.S., Clearview AI markets its identity-matching service, using scraped data, to clients like government and law enforcement agencies. However, within the EU, employing such technology defying privacy laws could lead to regulatory penalties, as experienced by a Swedish police authority in 2021.
The AP has cautioned Dutch entities against using Clearview AI services. “The illegal operations of Clearview mean that utilizing its services within the Netherlands is against the law. Consequently, Dutch organizations employing Clearview may face severe penalties,” stated Aleid Wolfsen, chairman of the Dutch DPA.
An English translation of the AP’s ruling is available for further reading.
Considering Personal Accountability?
Despite accruing roughly €100 million in GDPR fines across the EU in recent years, Clearview AI’s non-cooperation has made collecting such fines a challenge. The company has steadfastly refused to amend its operations that violate GDPR, operating with seeming impunity from abroad.
The Dutch AP expresses its concern and is investigating methods to enforce law compliance by Clearview AI, including the potential personal liability of the company’s directors for the infringements.
“Operating in such a negligent manner, infringing upon the rights of Europeans on an extensive scale, cannot be tolerated. Our aim is to explore the possibility of holding Clearview’s management personally accountable for directing these violations,” Wolfsen elaborated. “Such liability is applicable if the directors were aware of GDPR violations, had the means to prevent them, but chose not to act, thereby tacitly endorsing these infractions.”
In light of Telegram’s founder Pavel Durov’s recent arrest in France for allegedly allowing the spread of illegal content on his platform, the notion of targeting Clearview’s management for enforcement might offer a more effective means of ensuring compliance, particularly as such individuals might wish to travel within the EU.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
