The Dutch Data Protection Authority (Dutch DPA) has imposed a significant fine of 30.5 million euros on Clearview AI, an American company providing facial recognition services. Additionally, the Dutch DPA has threatened further penalties, amounting to over 5 million euros, if Clearview fails to comply with regulations. The crux of the issue lies in Clearview’s illegal collection of billions of facial images, including those of Dutch citizens, to create a massive database used for facial recognition purposes. The Dutch DPA has issued a clear warning that the use of Clearview’s services is also prohibited under Dutch law.
Clearview AI, known for offering facial recognition services to intelligence and investigative agencies, allows its clients to upload camera footage to identify individuals in the images. The company maintains a database of more than 30 billion images, which it scrapes from the internet without the knowledge or consent of the individuals whose photos are included. These images are converted into unique biometric codes, essentially turning every face into a traceable identifier.
The Invasion of Privacy
Dutch DPA chairman Aleid Wolfsen stresses the severity of the privacy invasion caused by Clearview’s technology. “Facial recognition is a deeply invasive tool that cannot be deployed indiscriminately across the globe,” he states. “If there’s a picture of you on the internet—and let’s face it, that applies to almost everyone—your face could end up in Clearview’s database, making it possible for you to be tracked. This isn’t a dystopian fantasy or something limited to authoritarian regimes like China. It’s happening here and now.”
Clearview claims its services are provided solely to intelligence and law enforcement agencies outside the European Union (EU), but Wolfsen argues that even this limited scope is problematic. “It’s alarming enough as it stands. We need to draw a firm line to prevent the misuse of this technology,” Wolfsen asserts.
While Wolfsen acknowledges the legitimate role of facial recognition technology in ensuring public safety and aiding criminal investigations, he emphasizes that such technologies should only be employed under strict regulations. “In rare, exceptional circumstances, competent authorities like the police may use facial recognition. But they must operate the software and database themselves, under stringent conditions and with oversight from regulatory bodies like the Dutch DPA,” he adds.
Learn more about DELTA Data Protection Manager Courses: DELTA Academy & Consulting
GDPR Violations by Clearview
The Dutch DPA has issued a stern warning: using Clearview’s services is illegal. “Clearview is violating the law, and any Dutch organizations that utilize their services could face significant fines,” Wolfsen cautions.
Clearview’s actions have flagrantly breached several provisions of the General Data Protection Regulation (GDPR). Most notably, the company has built an unauthorized database of facial images, which includes biometric data, such as facial recognition codes, without the individuals’ consent. Collecting and using biometric data is strictly prohibited under the GDPR, except in rare circumstances, none of which apply to Clearview’s operations.
Moreover, Clearview has been criticized for a lack of transparency. Individuals whose data is included in the company’s database are not adequately informed about how their photos and biometric information are being used. In addition, those individuals have the right to access their personal data under the GDPR. However, Clearview has failed to comply with requests for data access, further compounding its violations.
Despite the Dutch DPA’s investigation, Clearview has not ceased its illegal activities. As a result, the Dutch DPA has issued an order requiring the company to stop its violations. Should Clearview fail to comply, it will face additional penalties totaling up to 5.1 million euros, on top of the initial fine.
International Concerns and Accountability
Clearview is an American company with no physical presence in Europe, which complicates enforcement efforts. Despite fines from various data protection authorities across Europe, the company has shown little willingness to change its practices. In response, the Dutch DPA is exploring additional measures to hold Clearview accountable, including the possibility of holding the company’s directors personally responsible for the violations.
Wolfsen is clear on the matter: “A company like Clearview cannot be allowed to continue violating the privacy rights of Europeans on such a massive scale and expect to escape consequences. We are now investigating whether we can hold the management of the company personally liable. If directors knowingly allow these GDPR violations to persist and fail to stop them, they could face personal penalties.”
As Clearview has not contested the Dutch DPA’s decision, the company is unable to appeal the fine, further cementing the authority’s position in this significant privacy case.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com