Clearview AI, the controversial U.S.-based facial recognition company, has been slapped with its largest fine to date under the European Union’s General Data Protection Regulation (GDPR). The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), announced a penalty of €30.5 million (approximately $33.7 million) against the company for a series of significant privacy violations. This penalty comes amid growing concerns about the company’s disregard for GDPR compliance and raises the possibility of holding its executives personally liable for continued breaches.
The Core Issues: Unauthorized Data Collection and Non-Compliance
Clearview AI has built its business around a massive database of over 30 billion images, which it collected by scraping social media and other online platforms without user consent. This database is used to power an identity-matching service marketed to law enforcement, government agencies, and private entities. However, the practice of collecting biometric data—like facial images—without a legal basis is a direct violation of the GDPR, which protects the personal data of EU residents.
The Dutch regulator’s fine stems from Clearview AI’s continued disregard for these privacy laws. The AP’s investigation, launched in March 2023 after receiving complaints from three individuals, found that Clearview AI failed to comply with data access requests, which are a fundamental right under the GDPR. EU residents have the right to request a copy of their data or have it deleted, but Clearview AI has consistently ignored such requests, according to the AP.
Beyond these access issues, the AP also sanctioned Clearview AI for creating its database without a valid legal basis and for failing to inform individuals that their data had been collected. The AP stressed that biometric data, such as the facial recognition codes used by Clearview, are considered highly sensitive under the GDPR and are subject to stringent protections.
Increasing the Stakes: Potential Personal Liability for Executives
What makes this case particularly notable is the Dutch regulator’s consideration of holding Clearview AI’s executives personally liable for the ongoing violations. This approach could represent a significant escalation in how GDPR enforcement is handled, particularly against companies based outside the EU that have been uncooperative or non-compliant with the regulation.
The AP’s decision to explore personal liability is driven by Clearview AI’s persistent violations and the company’s refusal to comply with previous GDPR fines, which now total around €100 million across various EU jurisdictions. Clearview AI has not appointed a legal representative in the EU, further complicating efforts to enforce these penalties.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized that companies like Clearview AI cannot be allowed to violate the rights of Europeans with impunity. The potential to hold company directors personally accountable is seen as a way to ensure compliance, especially if these individuals wish to travel freely within the EU. This approach mirrors recent actions taken against other tech executives, such as the arrest of Telegram founder Pavel Durov in France over issues related to illegal content on his platform.
Clearview AI’s Response and the Broader Implications
In response to the Dutch fine, Clearview AI’s chief legal officer, Jack Mulcaire, issued a statement dismissing the penalty as “unlawful, devoid of due process and unenforceable,” citing the company’s lack of operations or customers within the EU. However, under the GDPR’s extraterritorial provisions, any processing of EU citizens’ personal data—regardless of where the company is based—can fall under the regulation’s scope. This means that Clearview AI’s defense is unlikely to hold up, particularly as European regulators intensify their efforts to enforce GDPR compliance.
The implications of this case extend beyond Clearview AI. It serves as a warning to other companies that collect and process personal data without adequate legal safeguards. The potential for personal liability could become a powerful tool for regulators seeking to enforce compliance, especially in cases where companies have proven resistant to financial penalties.
From my perspective, the Dutch DPA’s move to consider personal liability marks a pivotal moment in the enforcement of data protection laws. It signals to tech companies worldwide that European regulators are willing to take significant measures to protect the privacy rights of their citizens. As GDPR enforcement continues to evolve, businesses operating in or affecting the EU market must prioritize compliance or risk severe consequences, both financial and personal.
In conclusion, the record fine against Clearview AI underscores the seriousness with which European regulators are treating privacy violations. As the AP explores holding company executives personally liable, this case could set a new precedent in GDPR enforcement, ensuring that companies and their leaders cannot simply ignore the law.
