GDPR fines keep amassing for Clearview AI — a US-based startup known for its thorough (and potentially perilous) facial recognition services.
Following similar measures by data protection authorities in France, Italy, and Greece, the Netherlands' DPA today hit Clearview with a €30.5mn fine for its “illegal” database of photos.
This brings the company's total fines in the EU to €90.5mn.
Clearview offers its facial recognition solutions to intelligence and investigative services, which can benefit from a database of over 50 billion facial images. For this database, the startup is collecting photos from public web sources. This includes social media profiles set to public mode.
In essence, this means that a photo you or I may have on Facebook or Instagram is likely to be part of Clearview's database, enabling potential tracking and identification. Naturally, without our knowledge or consent.
“This is not a doom scenario from a scary film. Nor is it something that could only be done in China,” said DPA chairman Aleid Wolfsen.
Clearview's GDPR violations
Following investigation, the DPA confirmed that photos of Dutch citizens are included in the database. It also found that Clearview is accountable for two GDPR breaches.
The first is the collection and use of photos.
“Clearview should never have built the database with photos, the unique biometric codes, and other information linked to them,” the data authority said.
The second is the lack of transparency. According to the DPA, the startup doesn't offer sufficient information to individuals whose photos are used, nor does it provide access to which data the company has about them.
A Clearview public relations spokesperson emailed TNW a written statement from the startup's Chief Legal Officer, Jack Mulcaire.
“Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” Mulcaire said.
“This decision is unlawful, devoid of due process and is unenforceable.”
But according to the DPA, the company hasn't objected to the decision and is unable to appeal against the fine.
The Dutch authority is also levying an extra €5.1mn penalty for non-compliance if Clearview doesn't stop the violations. In addition, the DPA will investigate whether it can hold the management of the company “personally liable” — and therefore, subject to fines.
Expectedly, the use of Clearview's technology by Dutch organisations is now prohibited.
“Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world,” Wolfsen said.
Meanwhile, just last week the DPA hit Uber with a €290mn fine for transferring “sensitive” driver data to the US. In this case, the ride-hailing company will appeal the decision.