Clearview AI, the controversial U.S.-based, facial recognition startup that built a searchable database of 30 million images populated by scraping the internet for people’s selfies without their consent, has been hit with its largest privacy fine yet in Europe.
The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), said on Tuesday that it has imposed a penalty of €30.5 million — around $33.7M at current exchange rates — on Clearview AI for a raft of breaches of the European Union’s General Data Protection Regulation (GDPR) after confirming the database contains images of Dutch citizens.
This fine is larger than separate GDPR sanctions imposed by data protection authorities in France, Italy, Greece and the U.K. back in 2022.
In a press release, the AP warned it has ordered an additional penalty of up to €5.1M that will be levied for continued non-compliance, saying Clearview failed to stop the GDPR violations after the investigation concluded, which is why it has made the additional order. The total fine could hit €35.6M if Clearview AI keeps ignoring the Netherlands regulator.
The Dutch data protection authority began investigating Clearview AI in March 2023 after it received complaints from three individuals related to the company’s failure to comply with data access requests. The GDPR gives EU residents a set of rights related to their personal data, which includes the right to request a copy of their data or have it deleted. Clearview AI has not been complying with such requests.
Other GDPR violations the AP is sanctioning Clearview AI for include the salient one of building an database by collecting people’s biometric data without a valid legal basis. It is also being sanctioned for GDPR transparency failings.
“Clearview should never have built the database with photos, the unique biometric codes and other information linked to them,” the AP wrote. “This especially applies for the [face-derived unique biometric] codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.”
The company also failed to inform the individuals whose personal data it scraped and added to its database.
Reached for comment, Clearview representative, Lisa Linden, of the Washington, D.C.-based PR firm Resilere Partners, did not respond to questions but emailed TechCrunch a statement that’s attributed to Clearview’s chief legal officer, Jack Mulcaire.
“Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” Mulcaire wrote, adding: “This decision is unlawful, devoid of due process and is unenforceable.”
Per the Dutch regulator, the company cannot appeal the penalty as it failed to object to the decision.
It’s also worth noting the GDPR is extraterritorial in scope, meaning it applies to the processing of personal data of EU people wherever that processing takes place.
U.S.-based Clearview uses people’s scraped data to sell an identity-matching service to customers that can include government agencies, law enforcement and other security services. However, its clients are increasingly unlikely to hail from the EU, where use of the privacy law-breaking tech risks regulatory sanction — something which happened to a Swedish police authority back in 2021.
The AP warned that it will rigorously sanction any Dutch entities that seek to use Clearview AI. “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organisations that use Clearview may therefore expect hefty fines from the Dutch DPA,” wrote Dutch DPA chairman, Aleid Wolfsen.
An English language version of the AP’s decision can be accessed via this link.
Personal liability?
Clearview AI has faced a raft of GDPR penalties over the past several years (on paper, it has amassed a total of about €100 million in EU privacy fines), but regional data protection authorities apparently haven’t been very successful at collecting any of these fines. The U.S.-based company remains uncooperative and has not appointed a legal representative in the EU.
More importantly, Clearview AI has not changed its GDPR-violating behavior — it has continued to flout European privacy laws with apparent operational impunity on account of being based elsewhere.
The Dutch AP is concerned about this, saying it is exploring ways to ensure Clearview stops breaking the law. The regulator is looking into whether the company’s directors can be held personally responsible for the violations.
“Such a company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations,” wrote Wolfsen. “That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”
Since we’ve just seen the founder of messaging app Telegram, Pavel Durov, arrested on French soil over allegations of illegal content being spread on his platform, it’s interesting to consider whether sanctioning the people managing Clearview might have a greater chance of driving compliance — they may wish to travel freely to and around the EU, after all.