Dutch data regulator fines Clearview AI €30M, wants personal liability for CEO

Regulators in the Netherlands have slapped a massive fine on U.S.-based facial recognition provider Clearview AI for illegally collecting and processing the data of Dutch people, claiming the firm’s activities violate the EU’s General Data protection Regulation (GDPR).

A summary notice on the European Data Protection Board’s website lists key findings in the decision from the Dutch Data Protection Authority (DPA), resulting in a fine of 30.5 million euro for Clearview AI and orders subject to a penalty for non-compliance up to more than 5 million euro, related to “ending the still ongoing violations.” Among the listed offenses are hosting an illegal database of billions of face photos, turning them into biometric codes, being insufficiently transparent about it, and being an American company.

Specifically, the DPA finds that “for the purpose of their ‘Clearview for law-enforcement and public defenders’ service, Clearview processes, without a legal basis to do so, personal data of data subjects who are within the territory of the Netherlands. In doing so, Clearview violates Article 5(1), opening words and subsection (a) of the General Data Protection Regulation, read in conjunction with Article 6(1) GDPR.”

Clearview also violates various other articles of the GDPR by processing biometrics, which are considered a “special category” of personal data. It does not adequately inform those whose data it collects. It has ignored two access requests from data subjects. It has no designated representative in the EU. And so on.

Clearview’s Chief Legal Officer Jack Mulcaire responded in a statement that “Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.”

“This decision is unlawful, devoid of due process and is unenforceable.”

In a similar case in France in 2022, Clearview CEO Hoan Ton-That told AFP that the company is not subject to GDPR, has no clients or presence in the country, and therefore regulator CNIL has no jurisdiction. It also cannot enforce the French regulator’s ruling, as it cannot determine who in its database are residents of France.

Facial recognition a ‘doom scenario’ but still OK for police: Wolfsen

In a release, Dutch DPA chairman Aleid Wolfsen calls facial recognition “a highly intrusive technology that you cannot simply unleash on anyone in the world.”

“If there is a photo of you on the Internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China.” Wolfsen calls for the drawing of “a very clear line at incorrect use of this sort of technology.”

He notably puts police use of facial recognition on the right side of that line, because they “have to manage the software and database themselves in that case, subject to strict conditions and under the watchful eye of the Dutch DPA and other supervisory authorities.” Commercial businesses lie on the wrong side. Certainly, Wolfsen says, facial recognition should be used “by competent authorities in highly exceptional cases only.”

DPS wants to hold CEO personally liable for crossing red line

Neither the size of the fine nor the DPA’s language leave any room for misinterpretation on how it feels about Clearview. The company “should never have built the database with photos, the unique biometric codes and other information linked to them. This especially applies to the codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited.”

The DPA also goes out of its way to note that “other data protection authorities have already fined Clearview at various earlier occasions, but the company does not seem to adapt its conduct.”

Thirty million euros may not be the end of it, either: Wolfsen and his team have stated their intention to pursue legal action that would hold management of the company personally liable for directing the violations. In this case, that likely means Clearview CEO Hoan Ton-That. Liability, says Wolfsen, “already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”

Clearview AI continues to ride a rollercoaster of wins and prosecutions.

Google is about to subpoena records from Clearview AI to show its business relationship with four Texas law enforcement agencies as part of its defense against a biometric data privacy lawsuit. Australian regulators decided against suing Clearview but still don’t like it.

Meanwhile, the company’s database of facial images for biometric comparison has grown, reaching 50 billion in total. It has been added to the U.S. federal procurement marketplace. And in June, as part of the settlement of a class action lawsuit that found Clearview AI in violation of BIPA, the company gained a substantial number of new stakeholders, when plaintiffs were offered 23 percent of the company in lieu of cash it could not produce.

Australia’s privacy regulator recently questioned whether Clearview has complied with its previous demands.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  Clearview AI  |  data privacy  |  Dutch Data Protection Authority  |  facial recognition  |  GDPR  |  Netherlands