The Dutch Data Protection Authority (DPA) has imposed a hefty fine of 30.5 million euros [approximately US$33.7 million] on Clearview AI, an American company that offers facial recognition services.
The Dutch DPA also issued a warning to organizations in the Netherlands prohibiting the use of Clearview’s services. The company has been found to have built an illegal database of billions of facial photos, including those of Dutch citizens, without their knowledge or consent.
Clearview, which provides facial recognition services to intelligence and investigative agencies, has amassed a vast database of more than 30 billion photos scraped from the internet. These images are then converted into unique biometric codes, allowing customers to identify individuals based on camera footage. The Dutch DPA has deemed this practice as a serious violation of privacy laws.
Why a Fine on Clearview AI is Justified
“Facial recognition is a highly intrusive technology that cannot be unleashed on anyone in the world,” stated Aleid Wolfsen, chairman of the Dutch DPA. “If there’s a photo of you on the internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film.”
While Wolfsen acknowledges the importance of safety and the detection of criminals by official authorities, he suggested that the use of such technology should be restricted to competent authorities in highly exceptional cases. Commercial businesses, like Clearview, are not authorized to build and maintain such databases.
Clearview’s Many GDPR Violations
The Dutch DPA has accused Clearview of violating the General Data Protection Regulation (GDPR) on multiple counts, including building an illegal database and failing to provide sufficient transparency to individuals whose data is stored. The company has also been criticized for its lack of cooperation with requests for access to data.
The European Data Protection Board (EDPB) listed the following violations as the basis of the fine:
- Unlawful Data Processing: Clearview processes personal data in the Netherlands without a legal basis, violating GDPR Articles 5(1) and 6(1).
- Biometric Data Violation: Clearview unlawfully processes biometric data, breaching GDPR Article 9(1).
- Inadequate Disclosure: Clearview fails to properly inform data subjects, violating GDPR Articles 12(1), 14(1), 14(2), and 5(1).
- Access Requests Ignored: Clearview did not respond to access requests, violating GDPR Articles 12(3) and 15.
- Lack of EU Representation: Clearview has not appointed an EU representative, breaching GDPR Articles 4(17) and 27(1).
In addition to the fine, the Dutch DPA has ordered Clearview to stop its offending practices. If the company fails to comply, it could face additional penalties of up to 5.1 million euros. The Dutch DPA is also exploring ways to hold the directors of Clearview personally liable for the violations, a move that could have significant implications for the company’s future.
This decision by the Dutch DPA is a major setback for Clearview AI, which has faced similar legal challenges in other European countries. The fine imposed by the Dutch DPA is one of the largest ever issued for privacy violations, and sends a strong message to other companies involved in facial recognition technology. The Dutch DPA’s stance on the use of facial recognition is likely to influence the development and regulation of this technology in the European Union and beyond.