Data watchdog fines Clearview AI $33M for 'illegal' data collection

Selfie-scraper again claims European law does not apply to it

The Dutch Data Protection Authority (DPA) has fined controversial facial recognition company Clearview AI €30.5 million ($33 million) over the "illegal" collation of images.

The problem, as far as the Dutch DPA is concerned, is that people in the images scraped by Clearview AI are not aware of the process, and have not given consent.

"Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world," said DPA chairman Aleid Wolfsen in a statement.

"If there is a photo of you on the internet – and doesn't that apply to all of us? – then you can end up in the database of Clearview and be tracked.

"Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organisations that use Clearview may therefore expect hefty fines from the Dutch DPA."

In response, Jack Mulcaire, Chief Legal Officer at Clearview AI, said in a statement sent to The Register: "Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR. This decision is unlawful, devoid of due process, and is unenforceable."

The US company is no stranger to legal action over its database. Clearview software crawls the World Wide Web for publicly available photos. It adds these to its database, which, according to Clearview, stands at more than 50 billion images.

Customers can then use images of their own (for example, something captured by a security camera) with this data to identify the people in them.

Clearview says: "Government agencies that use our platform can experience high-quality leads with fewer resources expended. These leads, when supported by other evidence, can help effectively and rapidly identify suspects, persons of interest, and victims to help solve and prevent crimes."

However, the Dutch DPA believes Clearview has violated the General Data Protection Regulation (GDPR). People in the database should be able to access data recorded about them, and they should be informed if that data is being stored.

"Clearview did not stop the violations after the investigation by the Dutch DPA," the watchdog thundered. "That is why the Dutch DPA has ordered Clearview to stop those violations. If Clearview fails to do this, the company will have to pay penalties for non-compliance in a total maximum amount of 5.1 million euros on top of the fine."

Except Clearview AI is not based in the EU. It has also declared itself not subject to the UK's Information Commissioner's Office (ICO) jurisdiction after the fines have rolled in.

However, as Telegram's Pavel Durov has recently discovered during his run-in with the French authorities, regulators and government bodies are taking a closer look at director liabilities.

After noting that other data protection authorities have already issued fines without seeming to have had much effect on Clearview's conduct, the Dutch DPA said it was "looking for ways to make sure that Clearview stops the violations. Among other things, by investigating if the directors of the company can be held personally responsible for the violations."

Wolfsen said: "Such companies cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale.

"We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations."

It sounds like any planned European vacation for Clearview execs would need to be put on ice for the time being. ®

More about

TIP US OFF

Send us news


Other stories you might like