A Historic Fine in Europe
The Autoriteit Persoonsgegevens (AP), the Netherlands’ Data Protection Authority, has imposed a record-breaking fine of €30.5 million on Clearview AI, a U.S.-based facial recognition company. This is the largest fine Clearview AI has faced in Europe for violating the General Data Protection Regulation (GDPR). The fine relates to the company’s illegal collection and storage of biometric data without proper consent, marking a significant enforcement action in Europe.
The Largest GDPR Fine to Date
This €30.5 million fine imposed by the Netherlands’ AP surpasses all previous fines levied against Clearview AI by data protection authorities in countries such as France, Italy, Greece, and the United Kingdom. In addition, the AP warned that if Clearview AI continues to ignore GDPR requirements, an additional €5.1 million penalty will be enforced, potentially raising the total fine to €35.6 million.
Investigations Leading to the Fine
The AP launched its investigation into Clearview AI in March 2023 after receiving complaints from Dutch citizens who were denied access to their personal data, a clear violation of the GDPR. Under GDPR rules, EU citizens have the right to access their data or request its deletion. Clearview AI has been found to repeatedly ignore these requests, breaching multiple provisions of the GDPR.
GDPR Violations by Clearview AI
Clearview AI’s core violation involved building a biometric database from millions of images scraped from the internet without obtaining consent from the individuals depicted. This unauthorized data collection violated GDPR regulations, which require a valid legal basis for collecting and processing personal data, particularly biometric data. The AP highlighted that Clearview’s actions were not only illegal but also lacked transparency, further compounding the violation.
Lack of Transparency and Legal Basis
Clearview AI’s failure to provide transparency in its data collection practices is a major concern under GDPR, which demands that companies inform individuals about how their data is being used. In this case, the AP emphasized that Clearview AI had no valid justification for collecting biometric information from millions of people and never informed those individuals about the existence of this database.
Potential Personal Liability for Clearview AI Executives
Despite facing multiple fines across Europe, Clearview AI has shown little willingness to comply with European privacy laws. The company has failed to appoint a legal representative in the EU, a GDPR requirement for non-EU companies processing European citizens’ data. This non-cooperation has made enforcing fines more difficult.
Holding Executives Personally Accountable
In response to Clearview AI’s lack of compliance, the AP is considering an unprecedented step: personal liability for the company’s executives. Aleid Wolfsen, the president of the AP, has suggested that if it is proven that Clearview’s executives were aware of the GDPR violations and had the power to stop them but chose not to, they could face individual penalties. This approach could put pressure on the company to take GDPR compliance seriously, as it may prevent executives from traveling freely to Europe without facing legal consequences.
Conclusion: A Landmark GDPR Enforcement Case
Clearview AI’s record-breaking €30.5 million fine marks a significant moment in GDPR enforcement, underscoring the importance of data privacy and the EU’s commitment to upholding its regulations. With potential fines reaching €35.6 million and the possibility of personal liability for executives, this case sets a new precedent for companies handling biometric data and operating in violation of European privacy laws. The clear message to companies is that non-compliance with the GDPR will not be tolerated, and enforcement measures will only become stricter.
