On May 16, 2024, the Dutch Data Protection Authority (DPA) (Autoriteit Persoonsgegevens, AP) fined Clearview AI Inc. 30.5 million euros (approximately US$33.5 million) for violating the European Union’s (EU’s) General Data Protection Regulation (GDPR), in particular by processing personal, biometric data without a proper legal basis. The DPA also issued four enforcement orders that effectively require the company to cease its current operations within the EU.
Clearview, a New York-based firm, provides artificial intelligence (AI)-powered facial recognition technology built on a vast database of images collected from individuals around the world.
Background and Applicable Law
The GDPR, which came into effect on May 25, 2018, applies directly in all EU member states and regulates the processing of personal data. It requires data controllers to adhere to key principles, including establishing a legitimate legal basis for processing personal data. (GDPR, Arts. 5, 6.) “Data processing” encompasses any action taken on personal data, such as collection, recording, structuring, and storage. (Art. 4, para. 2.) The GDPR applies even if the data controller is based outside the EU as long as personal data of individuals within the EU is being processed, especially when the processing includes monitoring their behavior within the EU. (Art. 3, para. 2.)
Under the GDPR, personal data must be processed lawfully. One possible legal basis is demonstrating a legitimate interest in processing the data. However, such interests may be overridden by the interests or fundamental rights and freedoms of the data subject. (Art. 6, para. 1(f).) The Dutch DPA, as the competent national supervisory body, is empowered to impose administrative fines and orders against data controllers when GDPR violations are identified. (Art. 58, paras. 1, 2.)
Clearview’s Business Model
Clearview offers services that use facial recognition technology, meaning an algorithm capable of precisely analyzing facial features in an image, enabling it to recognize the same individual across other images. (DPA Decision, Para. 6.) The company employs an advanced algorithm based on machine learning, which converts a face into a unique code, known as an “embedding” or “vector.” By comparing these vectors, the algorithm can identify and match other images featuring the same individual. (Para. 7.) Clearview has compiled a database of more than 30 billion photos from publicly accessible sources such as social media, websites, news, mugshots, and U.S. public databases on convicted individuals. (Para. 8.) Each photo in the database is associated with corresponding metadata which supports the identification of the person depicted. (Para. 11.) One of the key services offered by Clearview is the “Clearview for law-enforcement and public defenders” service. Once the User provides a “probe image” of the subject, the system matches the image to its database and helps the user to identify the subject. (Paras. 13-19.)
Decision
The DPA concluded that Clearview, through its “Clearview for law-enforcement and public defenders” service, processes personal data of individuals within the Netherlands without a legal basis. The processed data includes biometric data — a category specially protected under the GDPR. (Art. 9, para. 1.) The Dutch DPA emphasized that the processing of personal data is not incidental to Clearview’s service but central to its operation. Clearview systematically processes large-scale personal data for facial recognition, but its business interests do not qualify as legitimate interest for data processing under the GDPR. (Art. 6, para. 1 (f).). (Para. 91.)
The DPA identified three additional violations: failure to meet transparency obligations (art. 12, paras. 1, 14), failure to respond to two access requests (art. 12, paras. 3, 15), and failure to facilitate the exercise of access rights (art. 12, paras. 2, 15). Assessing the severity of these violations, the DPA highlighted the impact on a significant number of data subjects in the Netherlands, including minors, who are entitled to heightened protection. (Para. 201.) It considered it particularly serious that Clearview obstructed individuals from exercising their access rights and failed to provide all required information under article 14 of the GDPR.
Furthermore, the DPA expressed concern that Clearview knowingly continued its conduct despite sanctions imposed by other EU supervisory authorities, indicating deliberate intent behind the violations. (Para. 205.) At the time of the decision, Clearview had not ceased the unlawful processing activities, prompting the DPA to issue four compliance orders, each subject to penalties, aimed at halting the identified violations. (Paras. 223-236.)
Related Developments
In Germany, the governing parties in parliament have proposed a new law that stands in contrast to the decision of the Dutch DPA. Following the successful conclusion of a decades long search for a domestic terrorist, which was initiated by a group of journalists using an AI tool similar to Clearview’s, the proposed law would allow the German federal police to access public databases similar to the one created by Clearview. (Art. 1 of the Draft Law to Improve the Fight Against Terrorism.) This proposal has faced criticism from legal scholars, who argue that the combination of mass data collection, data evaluation, database merging, and the use of AI constitutes a breach of both the German Constitution and EU law.
Prepared by Maximilian Spitzley, Law Library Intern, under the supervision of Jenny Gesley, Foreign Law Specialist
Law Library of Congress, October 17, 2024
Read more Global Legal Monitor articles.