Greek regulator fines Clearview €20M and orders biometric data deleted
Clearview AI has been fined €20 million ($20.1 million) by a second data regulator in Europe for violating several articles of the European Union’s General Data Protection Rule with its facial recognition service.
Greece’s Hellenic Data Protection Authority responded to a complaint filed by Homo Digitalis and the subject of the data, Marina Zacharopoulou.
The decision refers to a series of events in 2021, beginning with Zacharopoulou’s March request to know what data of hers was in Clearview’s database of images scraped from public internet pages. The request references Article 15 of the GDPR.
The request was acknowledged, though whether the reply was manual or not is not specified in the decision. Clearview responded to a reminder email in April, saying it could not find the original request, and asked for a photo to use in the process, according to the Greek agency. The company notes a formatting issue which may have been behind the difficulty finding the initial email.
At that point, Zacharopoulou turned to the government, the complaint alleges.
Similar appeals have been made in Austria, France, Italy and the United Kingdom.
An Italian regulator issued a €20 million fine in March, and the UK imposed a £7.5 million fine in May. Clearview executives responded to the latter decision by criticizing the information commissioner’s representation of their technology and intentions.
Executives argue that they, as employees of a United States-based firm with no offices in the European Union, are not subject to the GDPR. They also have said their biometric service does not perform surveillance, as some have alleged.
The Greek regulator says Clearview declined to attend its hearing on the matter.
It says that Article 3 of the GDPR, plays here because it addresses situations like this one, where Clearview processed the data of EU citizens. The government also disagreed with Clearview’s position on surveillance, saying that Article 4’s definition of profiling makes it relevant here.
The regulator found Clearview violated the GDPR, but also levied its sizable fine in view of the “nature, gravity and duration of the infringement, which is not an isolated one incident, but it is systematic and concerns the basic principles of its legitimacy processing.” Other factors, including a “lack of cooperation,” were also cited.
The actual violations of GDPR, according to the Greek agency, are the principles of “legality and transparency” and obligations under Articles 12, 14, 15 and 27.
The company has been ordered to comply with the complainant’s request, and to stop collecting, storing and using biometric data collected from people in Greece.
“Clearview AI does not have a place of business in Greece or the EU, it does not have any customers in Greece or the EU, its product has never been used in Greece, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” Clearview CEO Hoan Ton-That told Biometric Update in an email responding to the decision.
This post was updated at 1:47pm Eastern on July 14, 2022 with the response from Clearview’s CEO.