US firm fined by Dutch for illegal facial recognition data gathering
The Dutch Autoriteit Persoonsgegevens (Personal Data Protection Authority) has announced today that it has imposed a fine of €30.5 mn. on the US company Clearwiew AI, as well as a non-compliance penalty in excess of €5 mn.
Clearview is an American company that offers facial recognition services, which has, inter alia, built up an illegal database with billions of photos of faces, including those of Dutch citizens. Furthermore, the authority has warned that using the services of Clearview is also prohibited.
Clearview offers facial recognition services to intelligence and investigative services. Moreover, Clearview customers can provide camera images to find out the identity of people shown in the images. To this end, Clearview has a database with more than 30 billion photos of people, which it has scraped automatically from the internet and then converted into a unique biometric code per face, all without the knowledge and consent of its victims.
According to the authority’s chair Aleid Wolfsen, “Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world. If there is a photo of you on the internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China. This really shouldn’t go any further. We have to draw a very clear line at incorrect use of this sort of technology.’
Clearview says that it provides services to intelligence and investigative services outside the European Union (EU) only.
Clearwiew’s services illegal and in breach of the the GDPR
Clearview has seriously violated the privacy law General Data Protection Regulation (GDPR) on several points: the company should never have built the database and is insufficiently transparent. It should never have built the database with photos, the unique biometric codes and other information linked to them. This especially applies to the codes. Like fingerprints, these are biometric data. Collecting and using them is prohibited. There are some statutory exceptions to this prohibition, but Clearview cannot rely on them.
Clearview is an American company without an established presence n Europe. Other data protection authorities have already fined Clearview on various earlier occasions, but the company has not changed its conduct. For this reason the Dutch regulator is investigating ways to ensure the violations stop, including whether the company’s directors can be held personally liable for data protection violations.
Wolfsen: ‘Such [a] company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.’
Clearview has not objected to the decision and is therefore unable to appeal against the fine.