Sep 04, 2024Ravie LakshmananGDPR / Privacy
The Dutch Data Protection Authority (Dutch DPA) has slapped a hefty fine of €30.5 million ($33.7 million) on facial recognition company Clearview AI for breaching the General Data Protection Regulation (GDPR) in the European Union (E.U.), by constructing an “illegal database with billions of photos of faces,” including those of Dutch nationals.
“Facial recognition is an intrusive technology that cannot be deployed indiscriminately,” said Dutch DPA chairman Aleid Wolfsen commented in an official statement.
“If your photo is on the Internet – and whose isn’t? – you could find yourself in Clearview’s database and subject to tracking. This is not a dystopian scenario from a movie. It’s a reality that transcends borders.”
Clearview AI has found itself in hot water with regulators in various countries, including the U.K., Australia, France, and Italy, due to its practices of scraping publicly available online content to amass a database exceeding 50 billion photos of individuals’ faces.
The people identified via these images are assigned a unique biometric code, which is then integrated into intelligence and investigative services offered to law enforcement agencies to “swiftly identify suspects, persons of interest, and victims for solving and preventing crimes.”
In addition to accusing Clearview of harvesting users’ facial data without their consent or awareness, the Dutch DPA noted that the company fails to adequately inform individuals included in its database on how their data is utilized and does not provide a means to access their data upon request.
At present, only residents of six U.S. states – California, Colorado, Connecticut, Oregon, Utah, and Virginia – have the option to access, delete, and opt-out of profiling through Clearview.
The DPA further alleged that the New York-based firm continued the violations even after being warned, prompting the regulator to order an immediate cessation of the infractions or face an additional fine of €5.1 million ($5.6 million). Moreover, Dutch entities are prohibited from using Clearview’s services as per the ruling.
“We will explore the possibility of holding the company’s management personally accountable and imposing fines for overseeing these transgressions,” Wolfsen stated.
“Under the law, directors can be held liable and fined if they are aware of GDPR violations, have the authority to halt them, but choose not to take action and knowingly permit the violations to persist,” he added.
In a response to the Associated Press, Clearview argued that it is not subject to E.U. data protection laws since it does not have offices in the Netherlands or the E.U., and called the decision “unjust.”
Earlier in June, the company settled a lawsuit in Illinois by agreeing to grant plaintiffs a 23% stake in its future value, without admitting to any wrongdoing.