Clearview AI, a U.S.-based facial recognition startup, has once again found itself in hot water, this time with a substantial fine from the Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP). The company has been penalized for multiple breaches of the European Union’s General Data Protection Regulation (GDPR), with the fine totaling €30.5 million (approximately $33.7 million).
The Dutch regulator’s decision marks the largest GDPR-related penalty imposed on Clearview AI so far. The AP’s investigation revealed that Clearview’s database contained images of Dutch citizens, collected without their consent. This fine surpasses previous sanctions imposed by authorities in France, Italy, Greece, and the United Kingdom in 2022.
Continued Non-Compliance and Additional Penalties
In addition to the hefty fine, the AP has warned Clearview AI of an additional penalty of up to €5.1 million if the company continues to violate GDPR regulations. The total fine could potentially reach €35.6 million if Clearview fails to comply with the Dutch regulator’s orders. The investigation began in March 2023, following complaints from individuals who reported Clearview’s non-compliance with data access requests. Under GDPR, EU residents have the right to access and request the deletion of their personal data, rights that Clearview has not honored.
The AP identified several key GDPR violations by Clearview AI, including the creation of a database using people’s biometric data without a valid legal basis. The regulator emphasized that Clearview should never have built a database with photos and unique biometric codes without proper authorization. Additionally, the company failed to inform individuals that their personal data had been scraped and added to its database, violating transparency requirements under GDPR.
Clearview AI’s chief legal officer, Jack Mulcaire, responded to the fine by arguing that the company is not subject to GDPR. He claimed that Clearview AI does not have a physical presence or customers in the Netherlands or the EU and does not engage in activities that would fall under GDPR jurisdiction. Mulcaire labeled the decision as “unlawful” and “unenforceable.” However, the Dutch regulator has stated that Clearview cannot appeal the penalty as it failed to object to the decision in a timely manner.
Extraterritorial Reach of GDPR
Despite Clearview’s claims, GDPR’s extraterritorial scope allows it to apply to any processing of EU citizens’ personal data, regardless of where the processing occurs. Clearview AI, which sells identity-matching services to government agencies and law enforcement, increasingly faces regulatory challenges in the EU. European authorities have made it clear that the use of Clearview’s services could result in significant penalties for any organization within their jurisdiction.
The Dutch AP is now exploring whether they can hold Clearview AI’s executives personally liable for the ongoing GDPR violations. The regulator expressed concerns about the company’s continued disregard for European privacy laws, suggesting that holding the management personally accountable could be a more effective deterrent. This move is part of a broader effort to ensure compliance, especially given the company’s history of flouting GDPR regulations with apparent impunity.
The Dutch regulator’s decision to impose a record fine on Clearview AI underscores the seriousness of GDPR violations, particularly concerning the unauthorized collection and use of biometric data. As European authorities continue to crack down on privacy breaches, Clearview AI and its executives may face increasing pressure to comply with GDPR or risk further legal and financial consequences.
