Ads
Clearview AI, a controversial face recognition company based in the United States, has recently faced its largest GDPR penalties to date from the Dutch data protection regulator. The company, known for scraping the internet for selfies without permission in order to create a massive searchable database of 30 billion images, was fined €30.5 million by the Autoriteit Persoonsgegevens (AP) for multiple violations of the General Data Protection Regulation (GDPR).
This fine is the largest European privacy penalty that Clearview AI has received, surpassing previous penalties from France, Italy, Greece, and the U.K. The AP also issued an additional €5.1 million penalty for ongoing non-compliance with GDPR regulations, bringing the total potential fine for Clearview AI to €35.6 million.
The investigation into Clearview AI by the Dutch data protection authority began in March 2023 after receiving complaints from three individuals about the company’s data collection practices. Under the GDPR, EU citizens have the right to access or delete their personal data, but Clearview AI failed to comply with these requests.
In addition to unauthorized data collection, Clearview AI was also found to have illegally gathered biometric data to create its database and was cited for transparency issues related to GDPR compliance. The AP stated that Clearview should never have created a database with biometric data without the consent of the individuals involved and failed to notify those whose data was collected.
The corporation’s chief legal officer, Jack Mulcaire, claimed that Clearview AI does not have a presence in the EU, does not have customers in the Netherlands, and is not subject to the GDPR. However, the Dutch regulator disagreed, asserting that the GDPR applies to any company processing the personal data of EU citizens, regardless of their location.
In response to Clearview AI’s refusal to comply with GDPR regulations, the AP is considering holding corporate executives personally liable for violations. The agency is investigating whether company directors can be penalized for ordering infractions of the GDPR, potentially imposing personal fines on those responsible.
The AP’s actions reflect a growing concern over the ability of foreign companies to operate with impunity in European markets while disregarding EU privacy laws. By targeting corporate executives, the regulator hopes to create a stronger deterrent against future violations and ensure greater accountability for data protection breaches.
The potential for personal liability raises questions about the impact on companies operating in the EU and the behavior of their leadership. Just as the recent arrest of Telegram founder Pavel Durov in France for content violations raised awareness of legal consequences for tech executives, the threat of personal fines for GDPR violations could compel Clearview AI’s managers to take compliance more seriously.
Ultimately, the Dutch regulator’s actions against Clearview AI highlight the importance of enforcing data protection laws and holding companies accountable for privacy violations. By considering personal liability for corporate executives, the AP aims to send a strong message that compliance with the GDPR is non-negotiable, regardless of a company’s location or size.
