Clearview AI, the controversial U.S.-based facial recognition startup that created a database with 30 million images scraped from the internet without consent, has been fined with the largest sanction imposed so far in Europe for violations of the General Data Protection Regulation (GDPR).
The Netherlands' Data Protection Authority, known as Autoriteit Persoonsgegevens (AP), announced on Tuesday a €30.5 million fine (approximately $33.7 million) against Clearview AI. The fine is due to a series of GDPR breaches after confirming that the company's database contained images of Dutch citizens.
The largest fine to date
This sanction exceeds previous fines imposed by data protection authorities in France, Italy, Greece, and the United Kingdom in 2022. Additionally, the AP warned that it has imposed an additional fine of up to €5.1 million that will be applied if Clearview AI continues to ignore GDPR regulations. This could raise the total penalty to €35.6 million if the company does not correct its practices.
The AP's investigation into Clearview AI began in March 2023, after receiving complaints from three individuals regarding the company’s failure to comply with data access requests. According to the GDPR, EU residents have the right to request a copy of their data or ask for its deletion. Clearview AI has consistently ignored these requests.
Other GDPR violations for which the AP is sanctioning Clearview AI include the creation of a database with people’s biometric data without a valid legal basis and a lack of transparency in its data collection practices. The AP emphasized that Clearview should never have built a database with photos and unique biometric codes without informing the affected individuals.
Personal liability for executives?
Despite the multiple fines imposed on Clearview AI in Europe, the company has been uncooperative and has not appointed a legal representative in the EU, which has made enforcing these sanctions difficult. Even more concerning is that the company has not changed its behavior, continuing practices that violate European privacy laws.
In response to this situation, the AP is considering new measures to ensure that Clearview AI complies with the law, including the possibility of holding the company's executives personally liable. According to Aleid Wolfsen, president of the AP, if it is proven that Clearview's executives knew about the GDPR violations and had the authority to stop them but failed to do so, they could be individually sanctioned.
This approach could be more effective in enforcing compliance, especially if the executives wish to maintain the freedom to travel to Europe without facing legal issues.