In July 2022, the Greek Data Protection Authority (DPA) imposed a mammoth fine of 20 million Euros on Clearview AI. According to the DPA Decision No 35/2022, this fine followed a complaint of the nonprofit organisation “Homo Digitalis”, regarding processing of biometric data. This is the highest fine ever imposed by the Greek DPA since the implementation of the GDPR. The DPA’s enforcement decision is part of a broader mistrust towards Clearview’s mass surveillance practices through facial recognition in Europe. The decision reflects the public attention AI-supported facial recognition technologies have been gaining recently.
Pan-European action against Clearview AI
Clearview AI collects information derived from publicly available photos and selfies on social media platforms and other online sources, including their metadata, i.e. the URLs of the websites where those photos are located. These techniques are commonly known as web scraping methods. Clearview AI matches the collected data against its facial recognition software to include it in its extensive database of more than 10 billion facial images. Access to the database is sold to private companies and law enforcement agencies around the world.
In May 2021, several nonprofit organisations (including Homo Digitalis, Privacy International, Hermes Center, and Noyb) lodged complaints before the supervisory authorities of Greece, Austria, France, Italy and the United Kingdom, in an effort to create a coordinated response to these practices.
As of today, several DPAs in Europe (CNIL, ICO and Garante) have found numerous GDPR infringements by Clearview AI. These DPAs have imposed several sanctions, totaling almost 50 million Euros. Additionally, the DPAs ordered Clearview AI to delete and stop processing affected data. Austria’s ruling is expected to be released in the coming months.
The ruling of the Greek DPA
In this case, the complainant claimed that Clearview did not appropriately respond to her data access request. More generally, the complainant requested the data collection practices of Clearview AI to be examined as a whole.
The Greek DPA, in its 21-page Decision, determined that Clearview AI, as a controller, breached the GDPR principle of lawfulness, fairness and transparency. Furthermore, Clearview AI violated its obligations to provide access and information, and the requirement for non-EU controllers to name an EU representative. The Greek DPA further reasoned that “the processing in question does not concern a simple collection of data.” Instead, Clearview AI converted the photographs it collected into biometric data. As the GDPR imposes differing requirements on the collection of photographs and the processing of biometric data, Clearview AI would have needed separate legal bases for both.
As a result, the DPA elected to impose this record breaking fine and an accompanying compliance order that requires Clearview AI to act in accordance with its obligations.
In determining the fine, the Greek DPA has taken into account – amongst other – “the nature, gravity and duration of the infringement, which is not an isolated incident, but is systematic and concerns the basic principles of the lawfulness of the processing (art. 5, 6, 9 GDPR), which are fundamental to the protection of personal data”. Other factors considered were the number of affected subjects in the Greek territory, and also the fact that Clearview AI collects and processes biometric data, a particularly sensitive category of data. In other words, Clearview AI was deemed to have violated the main concepts of the GDPR, thereby posing a particularly high risk to individuals’ rights.
Lastly, with regard to the GDPR’s territorial scope, it is worth noting that Clearview AI is a U.S. based company that does not operate or offer services in Greece or the EU. However, if products are used to monitor or otherwise affect EU citizens, this case clearly shows that GDPR compliance still might be required. Accordingly, companies based outside the EU should be prepared to assess possible risks. Clearview AI’s reaction to these DPA enforcement actions seems to suggest that Clearview AI may attempt not to conduct business in Europe anymore. Time will tell if this attempt can be successful, especially from the regulator’s perspective.
Assessment of compliance risks can be made much easier if your organisation has a comprehensive and proactive data protection programme in place. Experienced DPOs can support you in maturing data protection, and in avoiding adverse effects, such as penalties or public mistrust of your services.
For support on data protection and privacy-related matters, please contact us at firstname.lastname@example.org.