Clearview AI hit with its largest GDPR fine yet as Dutch regulator considers holding execs personally liable

Date:

Share post:


Clearview AI, the controversial U.S.-based, facial recognition startup that built a searchable database of 30 million images populated by scraping the internet for people’s selfies without their consent, has been hit with its largest privacy fine yet in Europe.

The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), said on Tuesday that it has imposed a penalty of €30.5 million — around $33.7M at current exchange rates — on Clearview AI for a raft of breaches of the European Union’s General Data Protection Regulation (GDPR) after confirming the database contains images of Dutch citizens.

This fine is larger than separate GDPR sanctions imposed by data protection authorities in France, Italy, Greece and the U.K. back in 2022.

In a press release, the AP warned it has ordered an additional penalty of up to €5.1M that will be levied for continued non-compliance, saying Clearview failed to stop the GDPR violations after the investigation concluded, which is why it has made the additional order. The total fine could hit €35.6M if Clearview AI keeps ignoring the Netherlands regulator.

The Dutch data protection authority began investigating Clearview AI in March 2023 after it received complaints from three individuals related to the company’s failure to comply with data access requests. The GDPR gives EU residents a set of rights related to their personal data, which includes the right to request a copy of their data or have it deleted. Clearview AI has not been complying with such requests.

Other GDPR violations the AP is sanctioning Clearview AI for include the salient one of building a database by collecting people’s biometric data without a valid legal basis. It is also being sanctioned for GDPR transparency failings.

“Clearview should never have built the database with photos, the unique biometric codes and other information linked to them,” the AP wrote. “This especially applies for the [face-derived unique biometric] codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.”

The company also failed to inform the individuals whose personal data it scraped and added to its database, per the decision.

Reached for comment, Clearview representative, Lisa Linden, of the Washington, D.C.-based PR firm Resilere Partners, did not respond to questions but emailed TechCrunch a statement that’s attributed to Clearview’s chief legal officer, Jack Mulcaire.

“Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” Mulcaire wrote, adding: “This decision is unlawful, devoid of due process and is unenforceable.”

According to the Dutch regulator, the company cannot appeal the penalty as it failed to object to the decision.

It’s also worth noting that the GDPR is extraterritorial in scope, meaning it applies to the processing of personal data of EU people wherever that processing takes place.

U.S.-based Clearview uses people’s scraped data to sell an identity-matching service to customers that can include government agencies, law enforcement and other security services. However, its clients are increasingly unlikely to hail from the EU, where use of the privacy law-breaking tech risks regulatory sanction — something which happened to a Swedish police authority back in 2021.

The AP warned that it will rigorously sanction any Dutch entities that seek to use Clearview AI. “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organisations that use Clearview may therefore expect hefty fines from the Dutch DPA,” wrote Dutch DPA chairman, Aleid Wolfsen.

An English language version of the AP’s decision can be accessed via this link.

Personal liability?

Clearview AI has faced a raft of GDPR penalties over the past several years (on paper, it has amassed a total of about €100 million in EU privacy fines), but regional data protection authorities apparently haven’t been very successful at collecting any of these fines. The U.S.-based company remains uncooperative and has not appointed a legal representative in the EU.

More importantly, Clearview AI has not changed its GDPR-violating behavior — it has continued to flout European privacy laws with apparent operational impunity on account of being based elsewhere.

The Dutch AP is concerned about this, saying it is exploring ways to ensure Clearview stops breaking the law. The regulator is looking into whether the company’s directors can be held personally responsible for the violations.

“Such a company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations,” wrote Wolfsen. “That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”

Since we’ve just seen the founder of messaging app Telegram, Pavel Durov, arrested on French soil over allegations of illegal content being spread on his platform, it’s interesting to consider whether sanctioning the people managing Clearview might have a greater chance of driving compliance — they may wish to travel freely to and around the EU, after all.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

US government urges high-ranking officials to lock down mobile devices following telecom breaches

The U.S. government is urging senior politicians and high-ranking officials to lock down their devices amid the...

North Korea-linked hackers accounted for 61% of all crypto stolen in 2024

With the rising adoption and value of crypto assets, the potential for theft is also on the...

Bugs in a major McDonald’s India delivery system exposed sensitive customer data

A major McDonald’s delivery system in India exposed the personal information of its customers and drivers due...

Apple and Meta go to war over interoperability vs. privacy

Apple and Meta are warring in Europe over the balance between interoperability and privacy, Reuters reports. The fight...

BlueQubit raises $10M to take Quantum software into real-world applications

Integrating quantum computing into real-world computer applications is an ongoing problem, as the platforms are architected fundamentally...

Indian startups raised 32% fewer rounds in 2024 as VCs got selective

Indian startups raised 32% fewer funding rounds in 2024 compared to last year, per new numbers from...

‘We want to pay it forward’: Funding Societies raises $25M to boost capital for SMEs in Southeast Asia

Small and medium-sized enterprises (SMEs) account for nearly 50% of Southeast Asia’s GDP, contributing to job creation,...

Exclusive: Google’s Gemini is forcing contractors to rate AI responses outside their expertise

Generative AI may look like magic, but behind the development of these systems are armies of employees...