The Dutch Data Protection Authority (Dutch DPA) has levied a penalty of €30.5 million ($33.7 million) against the facial recognition company Clearview AI for breaching the General Data Protection Regulation (GDPR) in the European Union (E.U.) through the creation of an “unlawful database containing billions of images of faces,” including those of Dutch residents.
“Facial recognition is a deeply invasive technology that should not be applied indiscriminately worldwide,” remarked Dutch DPA chairman Aleid Wolfsen in a press release, criticizing Clearview’s practices.
“If an image of you exists on the Web – a scenario likely applicable to all individuals – there’s a possibility for it to be incorporated into Clearview’s database for tracking purposes. This isn’t a fictitious scenario from a horror flick. Nor is it confined solely to China,” added Wolfsen.
Clearview AI is facing scrutiny from regulatory bodies in multiple countries like the U.K., Australia, France, and Italy due to its method of scraping publicly available data online to compile an extensive repository of over 50 billion facial photographs.
The individuals identified through these images are assigned a distinct biometric identifier, which is then utilized in intelligence and law enforcement services to “swiftly identify suspects, persons of interest, and victims for crime-solving and prevention.”
In addition to accusing Clearview of gathering facial data without consent or awareness, the Dutch DPA pointed out that the company falls short in adequately informing the individuals included in its database regarding data usage and lacks a mechanism for data access requests.
As of now, Clearview provides access to residents of six U.S. states – California, Colorado, Connecticut, Oregon, Utah, and Virginia – allowing them to manage, delete, and opt out of profiling.
The DPA also stated that even after its investigation, Clearview failed to cease the violations, warning of an additional fine of €5.1 million ($5.6 million) if corrective actions are not taken promptly. Additionally, Dutch entities are banned from engaging with Clearview’s services.
“We intend to examine the potential personal liability of the company’s management and impose fines for overseeing these transgressions,” Wolfsen added.
“Such accountability already exists when directors are aware of GDPR violations, have the necessary authority to halt them, but choose not to act, thus deliberately tolerating the violations.”
In a communication to the Associated Press, Clearview argued that it is not subject to EU data protection laws since it lacks a physical presence in the Netherlands or the E.U., deeming the decision as “unlawful.”
Earlier this year, Clearview settled a lawsuit based in the U.S. state of Illinois related to facial recognition privacy breaches by awarding plaintiffs a 23% stake in its future valuation instead of a traditional settlement, all while maintaining its denial of any wrongdoing.
About Author
