Ads
Clearview AI, the controversial U.S. face recognition company that gained notoriety for scraping the internet for selfies without authorization to create a massive searchable database of 30 billion pictures, has recently faced its largest GDPR penalties to date. The company has come under fire from various European data protection authorities for violating privacy laws and failing to comply with GDPR regulations.
The latest blow to Clearview AI comes from the Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), which fined the company €30.5 million for a number of GDPR violations. This hefty fine exceeds previous GDPR sanctions imposed on Clearview by countries such as France, Italy, Greece, and the U.K. The AP also issued an additional penalty of €5.1 million for Clearview’s continued non-compliance, bringing the total fine to €35.6 million.
The investigation into Clearview AI by the Dutch data protection regulator began in March 2023 after three individuals filed complaints about the company’s data access violations. Under the GDPR, EU citizens have the right to access or delete their personal data, but Clearview AI has ignored these requests. The AP also found that Clearview AI illegally collected biometric data to build its database and failed to inform individuals whose data was collected and stored.
In a statement, the AP emphasized that Clearview should never have created a database of photos, unique biometric codes, and other personal information without consent. The regulator also noted that collecting and using face-derived biometric codes without permission is illegal under GDPR regulations. Clearview’s lack of transparency regarding its data collection practices further exacerbated the situation.
The company’s PR representative, Lisa Linden of Resilere Partners, did not respond to inquiries but provided a statement from Clearview’s chief legal officer, Jack Mulcaire. Mulcaire argued that Clearview does not have a physical presence in the Netherlands or the EU, does not have customers in these regions, and therefore should not be subject to GDPR regulations. However, the Dutch regulator maintains that Clearview’s actions are in violation of GDPR and therefore subject to penalties.
The AP’s ruling highlights the extraterritorial reach of GDPR regulations, which apply to the processing of EU citizens’ personal data regardless of where the company is based. Clearview AI, despite being a U.S. company, is required to comply with GDPR when processing data of EU citizens. The AP warned that Dutch companies using Clearview AI’s services could also face hefty penalties for violating privacy laws.
The ongoing resistance from Clearview AI to cooperate with European data protection authorities has raised concerns about enforcement and accountability. The AP is considering holding corporate executives personally liable for GDPR violations, a move that could potentially change the behavior of companies operating outside the EU. By targeting individual directors who knowingly allow GDPR violations to occur, the AP hopes to create a stronger deterrent against privacy breaches.
The case of Clearview AI raises important questions about the accountability of corporate leaders in upholding privacy laws. As companies increasingly operate across borders, it becomes imperative to ensure that executives are held responsible for compliance with regulations such as GDPR. By exploring the possibility of penalizing Clearview AI’s management, the AP aims to send a strong message that privacy violations will not be tolerated, regardless of a company’s location.
In light of recent events such as the arrest of Telegram founder Pavel Durov in France, where he was held liable for spreading illegal content, the potential personal liability of corporate directors in GDPR violations could have far-reaching implications. Holding individuals accountable for privacy breaches may not only deter companies like Clearview AI from flouting regulations but also encourage greater compliance with EU privacy laws.
As the debate over data privacy and accountability continues to evolve, the actions taken by regulators such as the Dutch AP could set a precedent for how companies are held responsible for data protection violations. By imposing significant fines and exploring personal liability for corporate executives, regulators are sending a clear message that privacy violations will not be taken lightly in the digital age.