Ads
Clearview AI, a controversial U.S. face recognition company known for scraping the internet for selfies without consent to build a massive database of 30 billion images, has recently faced its largest GDPR penalties to date as Dutch regulators consider holding executives personally accountable for their actions.
The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), imposed a fine of €30.5 million (approximately $33.7 million) on Clearview AI for a series of GDPR violations after confirming that the company’s database contains images of Dutch citizens. This penalty surpasses fines levied against Clearview AI by other European countries such as France, Italy, Greece, and the U.K. The AP also issued an additional €5.1 million penalty for ongoing non-compliance, bringing the total potential fine to €35.6 million.
The investigation into Clearview AI began in March 2023 following complaints from three individuals about the company’s unauthorized data collection practices. Under the GDPR, EU citizens have the right to access or delete their personal data, which Clearview AI reportedly failed to honor. The company is being penalized for unlawfully collecting biometric data and lacking transparency in its data processing practices, according to the AP.
In a statement, the AP emphasized that Clearview AI violated the law by creating a database of photos, unique biometric codes, and other linked information without proper authorization. The agency also noted that the company failed to inform individuals whose data was collected and processed, further breaching GDPR regulations.
Lisa Linden of Resilere Partners, Clearview’s PR firm, did not respond to requests for comment but shared a statement attributed to Clearview’s chief legal officer, Jack Mulcaire. Mulcaire argued that Clearview AI does not have a physical presence in the Netherlands or the EU, nor does it conduct business or serve customers in the region, therefore questioning the legality and enforceability of the AP’s decision.
Despite Clearview AI’s objections, the Dutch regulator maintains that the company cannot appeal the penalty as it did not challenge the ruling. The GDPR applies to the processing of personal data of EU residents globally, meaning that companies like Clearview AI must adhere to European privacy laws regardless of their location.
Clearview AI provides identity-matching services to government agencies, law enforcement, and security organizations using data obtained through web scraping. The AP warned that Dutch companies utilizing Clearview’s services would face severe penalties, as the company’s actions are deemed illegal. Chairman Aleid Wolfsen cautioned that Clearview’s violations of the law would result in significant consequences for Dutch organizations using its services.
Furthermore, the AP is exploring measures to hold Clearview AI executives personally accountable for GDPR violations. Wolfsen stated that corporate directors could be held liable for infractions if they knew about the GDPR violations, had the authority to prevent them, but chose to ignore or condone the wrongdoing.
In light of recent events such as the arrest of Telegram’s founder, Pavel Durov, in France for distributing illegal content, the potential for holding Clearview AI’s management accountable raises questions about the effectiveness of such measures in driving compliance with GDPR regulations. The threat of personal liability for executives may incentivize companies to adhere to data protection laws to avoid facing legal consequences and restrictions on their activities within the EU.
Ultimately, the European privacy landscape continues to evolve as regulators strive to hold companies accountable for violations and protect individuals’ personal data in an increasingly digital world. Clearview AI’s case serves as a cautionary tale for organizations that fail to comply with GDPR regulations and highlights the importance of data privacy and security in today’s interconnected society.
