Clearview AI Faces Largest GDPR Fine Yet from Dutch Authorities

Clearview AI, the U.S.-based facial recognition startup, has been slapped with its largest General Data Protection Regulation (GDPR) fine yet. The Netherlands' data protection authority, Autoriteit Persoonsgegevens (AP), announced a €30.5 million ($33.7 million) penalty for a range of GDPR violations. This hefty penalty underscores the company's controversial practice of scraping the internet for billions of images without consent to build a searchable database, which includes images of Dutch citizens.

The fine exceeds previous sanctions imposed by other European data protection authorities in France, Italy, Greece, and the United Kingdom. According to AP, the penalty could increase by an additional €5.1 million if Clearview AI fails to comply with GDPR regulations. This potential total of €35.6 million marks a significant financial and operational challenge for the startup.

Clearview AI's database has been a subject of intense scrutiny since it was confirmed to contain biometric data of EU citizens without a legal basis. GDPR mandates require stringent adherence to transparency and consent procedures when dealing with personal data, particularly biometric data akin to fingerprints. The Dutch AP has emphasized that using such data without a valid legal basis or adequate transparency is a severe violation of the law.

The investigation into Clearview AI began in March 2023 following complaints from individuals who reported that the company did not comply with data access requests, a right granted to EU residents under GDPR. These rights include obtaining a copy of or requesting the deletion of personal data held by companies. Clearview AI's non-compliance with these requests has been a critical factor in the AP's decision to levy this substantial fine.

Clearview AI's response has been dismissive. The company's Chief Legal Officer, Jack Mulcaire, stated that since Clearview AI does not have a business presence or customers in the EU, it does not fall under GDPR's jurisdiction. However, GDPR's extraterritorial scope implies that any processing of personal data of EU citizens, regardless of where the company is based, must comply with the regulations.

Despite accumulating nearly €100 million in fines across multiple EU countries, Clearview AI remains resistant to complying with GDPR mandates, posing challenges for EU regulators in enforcing these penalties. The ongoing defiance has led the Dutch AP to consider whether the company's executives can be held personally liable for the violations, which could entail legal actions against them.

The potential for personal liability suggests that regulatory bodies are increasingly looking for more effective enforcement mechanisms against companies flouting privacy laws. This move could serve as a warning to other businesses that handle personal data without proper compliance, signaling stringent consequences not just at the corporate level but also for individual executives who direct such activities.

Clearview AI's business model, which revolves around selling identity-matching services to primarily U.S.-based government and law enforcement agencies, is inherently at odds with European privacy standards. The company's continued operations in this manner despite regulatory fines highlight the jurisdictional enforcement challenges faced by GDPR regulators. Moreover, the fines may not be as financially damaging to Clearview AI if their primary revenue stream remains unaffected by these penalties.

However, the Dutch AP has warned that any Dutch entity using Clearview AI's services would be subject to penalties, potentially deterring local organizations from engaging with the company. This directive further reinforces the EU's commitment to protecting personal data and ensuring compliance among all entities operating or dealing with EU citizens' data.

Looking ahead, holding company directors personally accountable could serve as a significant deterrent. The recent arrest of Telegram founder Pavel Durov in France over illegal content issues illustrates that personal liability can indeed have profound repercussions. By potentially targeting Clearview AI's directors, European regulators may find a more effective leverage point to enforce GDPR compliance and protect citizens' privacy.

The Clearview AI case emphasizes a critical aspect of global business operations in the digital age—respect for data privacy laws across jurisdictions. With the regulatory landscape tightening, companies dealing with personal data must prioritize compliance, transparency, and ethical data practices to avoid legal pitfalls and maintain trust with users and regulators alike.