In a significant ruling, the Dutch Data Protection Authority (DPA) announced on September 3, that it has imposed a hefty fine of €30.5 million on the U.S.-based company Clearview AI for illegal data collection and privacy violations. The Dutch DPA also issued an additional penalty order, warning that non-compliance could result in further fines amounting to €5.1 million. Clearview AI, known for offering facial recognition services, has amassed a vast database of more than 30 billion facial images, including those of Dutch citizens, in direct violation of European privacy laws.
Clearview’s business model revolves around providing facial recognition technology to intelligence and investigative agencies. By allowing customers to upload camera images, the company’s software can identify individuals by matching the images against its extensive database of photos. These photos are scraped from the internet without the knowledge or consent of those depicted, violating fundamental data protection principles.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the serious privacy concerns associated with Clearview’s practices. He warned that Clearview’s illegal operations could lead to significant risks for individuals around the world. “Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,” Wolfsen said. “If there is a photo of you on the Internet—and doesn’t that apply to all of us?—then you can end up in the database of Clearview and be tracked.”
Clearview claims that its services are only available to non-European Union intelligence agencies. However, Wolfsen criticized this justification, stating that such technology should only be used in highly regulated, exceptional cases and solely by law enforcement agencies under strict oversight. “This sort of technology has no place in the hands of a commercial company,” Wolfsen added, reinforcing that competent authorities, such as the police, should manage such software with appropriate safeguards.
The DPA’s ruling makes it clear that any use of Clearview’s facial recognition services in the Netherlands is illegal. Wolfsen issued a stark warning to Dutch organizations: “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organizations that use Clearview may therefore expect hefty fines from the Dutch DPA.”
Clearview has been found to be in direct violation of the General Data Protection Regulation (GDPR) on multiple fronts. The most significant breach is the creation of an illegal database containing biometric data, which includes unique facial codes. These biometric identifiers, much like fingerprints, are considered sensitive personal data and are strictly regulated under GDPR. Collecting and using such data is prohibited, with only a few statutory exceptions, none of which apply to Clearview.
Clearview AI has also failed to provide transparency regarding its data collection practices. The company does not sufficiently inform individuals that their photos and biometric data are being used, nor does it comply with requests from individuals seeking access to their data. Under GDPR, individuals have the right to know what data is being collected about them and how it is being used. Clearview’s refusal to honor these requests constitutes another serious violation.
Despite a previous investigation by the Dutch DPA, Clearview continued its illegal activities, prompting the DPA to impose an additional penalty for non-compliance. If the company fails to cease its violations, it will face an incremental fine of €5.1 million.
Clearview is an American company with no physical presence in Europe, making enforcement of European privacy laws more challenging. However, Clearview has already faced fines from other European data protection authorities, though the company has yet to modify its practices. In response, the Dutch DPA is exploring additional legal avenues, including the potential personal liability of Clearview’s executives.
According to the Associated Press, Clearview AI has also faced legal challenges in the United States. In June 2024, the company reached a settlement in an Illinois lawsuit that accused it of violating the privacy rights of individuals whose photos were included in its database. The settlement, valued at more than $50 million, resolved allegations that Clearview’s massive collection of facial images violated state privacy laws. As part of the agreement, Clearview did not admit any liability.
Need Help?
With every day comes a new AI regulation or bill, and you might have questions and concerns about how it will impact you. Don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to provide valuable assistance.
