Clearview AI Faces Biggest GDPR Fine to Date as Dutch Authority Weighs Personal Liability for Executives

Clearview AI, the controversial U.S. facial recognition startup notorious for its searchable database comprised of 30 billion images scraped from the internet without consent, faces its largest privacy fine to date in Europe. The Netherlands' data protection authority, Autoriteit Persoonsgegevens (AP), announced on Tuesday that it has fined Clearview AI €30.5 million (approximately $33.7 million) for multiple violations of the European Union’s General Data Protection Regulation (GDPR), confirming that its database contains images of Dutch citizens.

This hefty fine surpasses individual GDPR penalties imposed by regulatory bodies in France, Italy, Greece, and the U.K. back in 2022. In its press release, the AP also indicated an additional potential penalty of up to €5.1 million for continued non-compliance, noting that Clearview failed to address GDPR violations post-investigation. If Clearview AI persists in ignoring the directives from the Dutch regulator, the total fine could reach €35.6 million.

The investigation into Clearview AI commenced in March 2023, following complaints from three individuals regarding the company’s failure to comply with data access requests, a right granted to EU residents under GDPR. These rights allow individuals to request copies of their data or ask for its deletion. However, Clearview AI has neglected such requests.

Other GDPR violations associated with Clearview AI include the collection of biometric data—such as facial recognition codes—without a valid legal basis. The AP's statement emphasized, “Clearview should never have built the database with photos, unique biometric codes, and related information. Collecting and using such data is prohibited, and while some exceptions exist, Clearview cannot invoke them.”

Additionally, the company failed to inform individuals whose personal data was scraped and added to its database.

When contacted for comment, Clearview’s representative, Lisa Linden from Resilere Partners, did not respond to inquiries. However, she provided a statement attributed to Clearview’s chief legal officer, Jack Mulcaire. He stated, “Clearview AI does not have a place of business in the Netherlands or the EU, does not serve customers in these regions, and does not engage in activities subject to GDPR.” Mulcaire further claimed, “This decision is unlawful, lacks due process, and is unenforceable.”

According to the Dutch regulator, Clearview cannot appeal the penalty as it did not object to the initial decision. Notably, GDPR applies extraterritorially, meaning it affects the processing of personal data of EU citizens regardless of where the processing occurs.

Clearview AI, based in the U.S., utilizes scraped data to provide identity-matching services to clients, including government agencies and law enforcement. However, its use of privacy-invasive technology has deterred potential clients from the EU, particularly following incidents such as a penalty imposed on a Swedish police authority in 2021 for similar reasons.

The AP has warned that it will vigorously sanction any Dutch entities that attempt to use Clearview AI’s services. “Clearview is breaking the law, rendering its services illegal in the Netherlands. Organizations using Clearview should expect substantial fines from the Dutch DPA,” stated Aleid Wolfsen, chairman of the Dutch DPA.

Clearview AI has amassed significant GDPR-related penalties over recent years, reportedly totaling around €100 million. However, regional data protection authorities have struggled to enforce these fines, as the company remains uncooperative and has not designated a legal representative in the EU.

The Dutch AP is increasingly concerned about Clearview’s continued disregard for European privacy laws and is exploring avenues to compel compliance. This includes investigating the possibility of holding the company's directors personally liable for the violations.

Wolfsen stated, “Such a company cannot continue to violate the rights of Europeans without consequences. We are now looking into whether we can impose personal liability on the management for directing these violations.”

This discussion of personal accountability aligns with recent events, such as the arrest of Pavel Durov, founder of messaging app Telegram, in France due to allegations related to unlawful content. It raises questions about whether holding individuals accountable at Clearview could potentially enhance compliance, particularly as they may wish to travel freely within the EU.