Clearview AI, an American facial recognition company, has been sanctioned by the Dutch Data Protection Authority (DPA) for violating the GDPR.
The General Data Protection Regulation (GDPR) sets out strict laws for the collection, processing, and protection of personal data within the European Union (EU) and for organisations handling EU citizens’ data.
Clearview AI offers facial recognition services to intelligence and investigative services. The platform includes a network of over 50 billion facial images sourced from the internet, including news media, mugshot websites, public social media, and other open sources.
Once images are collected, the system uses machine learning algorithms to convert facial features into a numerical code called a faceprint, which uniquely identifies each face in the database. When a user uploads an image to the platform, Clearview AI processes the image and returns links to publicly available images that contain faces similar to the person pictured in the uploaded image.
The DPA alleges that Clearview’s database includes illegally sourced photos, including those of Dutch people. Since the facial images are sourced from open-source platforms, consent is not obtained from the individuals in the photographs.
Article 6 of the GDPR—Lawfulness of Processing—states that for processing any personal data (including images), there must be a lawful basis, with consent being one of these bases. In the case of personal data such as facial images, which are considered biometric data, Clearview is in violation, as the company did not obtain consent from the individuals whose images are included in its database.
Aleid Wolfsen, chairman of the Dutch DPA, commented, “Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world.” While Wolfsen acknowledges the potential value of a tool like Clearview AI, he argues that it is inappropriate for commercial businesses to use it. Instead, he believes it should be restricted to authorities such as the police, and only used in highly exceptional cases. He also stated that such use must be subject to strict supervisory monitoring to ensure proper oversight.
Due to this violation, Clearview AI was fined a sum of €30.5 million. The DPA further stated that the company did not stop the violations after the investigation. If it fails to comply, it may face additional penalties for non-compliance, with a maximum total of €5.1 million on top of the original fine. The DPA is also considering investigating the company’s directors to determine if they can be held personally responsible for the violations.
Additionally, the Dutch DPA has prohibited the use of Clearview AI in the Netherlands, stating that using Clearview’s services is illegal, and Dutch organizations that continue to use Clearview AI may face substantial fines.
This is not the first time Clearview AI has faced legal action for privacy violations. In July, the company settled a major lawsuit in the U.S. for breaching Illinois’ Biometric Information Privacy Act (BIPA) by collecting biometric data without consent.
Privacy is an important factor in cybersecurity, and tools like Clearview AI have the potential to breach it. Clearview AI states that it only offers its solutions to government agencies and their agents; however, it is still concerning that people’s images, to which they did not consent, are being uploaded and used.
This case raises concerns about how to ensure the responsible use of AI and who should have the authority to deploy such sensitive technology. It also highlights the importance of strict regulations like the GDPR in safeguarding personal privacy.