Dutch data watchdog hits Clearview AI with 30.5 million euro fine
The Dutch Data Protection Authority (DPA) has imposed a fine of 30.5 million euros on Clearview AI. The data watchdog accuses the US company of having compiled an illegal facial recognition database containing billions of photos. Now the Dutch DPA is investigating whether the company’s leadership can be held personally accountable. The authority announced the fine on Tuesday.
Clearview has amassed a gigantic trove of photos of people taken from the internet and uses them to train its facial recognition software. The database contains more than 50 billion images of faces, the company claims. The data, according to the Dutch DPA, was processed by the company without necessary legal basis and also includes the data of Dutch citizens.
Clearview claims to sell access to its software only to intelligence and investigative services. A 2020 report by the New York Times brought greater attention to the then little-known company.
The Dutch regulator now accuses the company of having “seriously violated” the EU’s General Data Protection Regulation (GDPR) – and as a consequence has imposed a fine of 30.5 million euros.
Illegal database
The Dutch data watchdog argues that Clearview “should never have built” its database. The regulator regards as especially problematic the sensitive biometric data the company has collected. “There are some statutory exceptions” to prohibitions on the collection of such data, but they do not apply in Clearview’s case, the Dutch DPA writes.
The data watchdog also takes issue with the company’s “insufficient transparency”: Clearview does not give sufficient notice to the people in its database about its use of their photos and biometric data. Under the GDPR, if asked, Clearview has to inform people what data of theirs it has collected. “But Clearview does not cooperate in requests for access.”
The Dutch DPA has ordered Clearview to stop the practices that violate the law. If the company fails to comply, it will face an additional penalty of up to 5.1 million euros.
“Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,” said Dutch DPA chairman Aleid Wolfsen. “If there is a photo of you on the internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked.”
Use prohibited
Wolfsen concedes that facial recognition can contribute to the work of law enforcement – but in his view, the technology should be used “by competent authorities in highly exceptional cases only.” Police should have to “manage the software and database themselves,” rather than relying on the services of a private company. Moreover, use of the technology should be subject to supervision by relevant authorities.
The chairman also issued a warning to Dutch institutions: “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organizations that use Clearview may therefore expect hefty fines.”
The Dutch DPA initiated its investigation last year after receiving several complaints against Clearview. The regulator informed the company of its decision in May. Tuesday’s announcement stated that because Clearview has not officially objected to the decision, the company is unable to appeal the fine.
In a statement sent to US media Clearview’s chief legal officer wrote that the company does not have a place of business or customers in the EU or the Netherlands and is not subject to the GDPR. The Dutch DPA’s decision is “unlawful, devoid of due process and is unenforceable,” the chief legal officer wrote.
Earlier penalties for privacy violations
Prior to this latest fine, several data protection agencies in the EU had taken action against the company. In 2022 Italy’s data regulator imposed a 20 million euro fine. France’s data protection authority meanwhile demanded a penalty of 25.2 million euros.
In the UK the company successfully challenged a fine imposed by the British Information Commissioner’s Office (ICO). A British court ruled in October of last year that the UK regulator did not have jurisdiction. The ICO later indicated its intent to appeal the ruling.
Last month Australia’s privacy regulator announced that it would cease attempts to enforce an order issued to the company in 2021. The regulator had ordered Clearview to delete photos of Australians within 90 days. “There is no indication as to whether Clearview has since complied with the order,” the Guardian reported.
Management to be held accountable?
The Dutch DPA also acknowledged that despite previous fines from other regulatory authorities, Clearview had not changed its conduct. Given this reality, the regulator is looking for ways to ensure compliance. This includes “investigating if the directors of the company can be held personally responsible.”
Wolfsen, the Dutch DPA chairman, said that the company “cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale.” The regulator now plans to look into whether financial penalties can be imposed on the company’s management for causing the privacy violations. Directors can be held liable, Wolfsen said, if they “know that the GDPR is being violated” and have the authority to put a stop to the violations, but decline to do so.
In July Clearview reached a settlement in a lawsuit in Illinois. In this case as well, the company had been accused of violating the rights of the people impacted by its massive data collection. As part of the settlement, however, Clearview did not admit any liability. (js)