Clearview AI hit with biggest ever GDPR fine as Dutch regulator considers personal liability for executives

Clearview AI, the controversial US facial recognition startup that created a searchable database of 30 billion images by using online selfies without their consent, has been hit with the largest-ever privacy fine in Europe.

The Dutch data protection authority Autoriteit Persoonsgegevens (AP) said on Tuesday it had imposed a fine of 30.5 million euros (about $33.7 million at current exchange rates) on Clearview AI for a number of violations of the European Union’s General Data Protection Regulation (GDPR) after confirming that the database contained images of Dutch citizens.

The fine is higher than separate GDPR sanctions imposed in 2022 by data protection authorities in France, Italy, Greece and the UK.

In a press release, the AP warned that it was imposing an additional fine of up to €5.1 million for continued non-compliance, saying that Clearview had failed to stop GDPR violations after the investigation was completed and therefore issued an additional order. The total fine could reach €35.6 million if Clearview AI continues to defy the Dutch regulator.

The Dutch data protection authority began investigating Clearview AI in March 2023 after receiving complaints from three individuals about the company’s failure to comply with data access requests. GDPR gives EU residents a set of rights related to their personal data, including the right to request a copy of their data or to have it deleted. Clearview AI does not comply with such requests.

Other GDPR violations for which the AP sanctions Clearview AI include the most significant violation of building a database by collecting biometric data of people without a valid legal basis. It is also sanctioned for GDPR transparency shortcomings.

“Clearview should never have built a database of photographs, unique biometric codes and other information associated with them,” the AP wrote. “That is especially true of (facial) codes. Like fingerprints, they are biometric data. Their collection and use are prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.”

According to the decision, the company also failed to inform the individuals whose personal data it had collected and added to its database.

When contacted for comment, Clearview representative Lisa Linden of Washington-based PR firm Resilere Partners did not respond to questions but sent TechCrunch a statement attributed to Clearview Chief Legal Officer Jack Mulcaire.

“Clearview AI is not based in the Netherlands or the EU, has no customers in the Netherlands or the EU, and is not taking any action that would otherwise make it subject to GDPR,” Mulcaire wrote, adding: “This decision is unlawful, devoid of due process, and unenforceable.”

According to the Dutch regulator, the company cannot appeal the fine because it did not object to the decision.

It is also worth noting that the GDPR has extraterritorial scope, meaning that it applies to the processing of personal data of EU citizens regardless of where that processing takes place.

US-based Clearview uses scraped human data to sell its identity-matching service to clients, including government agencies, law enforcement and other security services. But its clients are increasingly rare in the EU, where using technology that violates privacy laws can result in regulatory sanctions — as happened to Swedish police in 2021.

The AP warned that it would severely penalize any Dutch entities that seek to use Clearview AI. “Clearview is breaking the law, which makes it illegal to use Clearview’s services. Dutch organizations using Clearview can therefore expect heavy fines from the Dutch DPA,” wrote the chairman of the Dutch DPA, Aleid Wolfsen.

The English-language version of the AP decision can be accessed by clicking on this link.

Personal responsibility?

Clearview AI has faced a number of GDPR fines over the past few years (on paper, it has accumulated around €100 million in EU privacy fines), but regional data protection authorities have apparently had little success in collecting any of those fines. The US-based company remains uncooperative and has not appointed a legal representative in the EU.

More importantly, Clearview AI has not changed its GDPR-violating behavior—it continues to flout European privacy laws while enjoying apparent operational impunity due to its off-site headquarters.

The Dutch AP is concerned about this, saying it is investigating ways to ensure that Clearview stops breaking the law. The regulator is investigating whether the company’s directors can be held personally liable for violations.

“Such a company cannot continue to violate the rights of Europeans and get away with it. Certainly not in such a serious way and on such a massive scale. We will now investigate whether we can hold the company’s management personally liable and fine them for directing these violations,” Wolfsen wrote. “This liability already exists if the directors know that the GDPR is being violated, have the right to stop it, but do not do so and thus knowingly accept these violations.”

Given the recent arrest in France of Telegram messaging app founder Pavel Durov on charges of distributing illegal content on his platform, it is interesting to see whether sanctioning Clearview executives would have a better chance of increasing compliance – after all, they may want to travel freely to and from the EU.