Clearview AI, al U.S. facial recognition startup, has received its largest privacy fine in Europe so far. The Netherlands’ data protection authority, Autoriteit Persoonsgegevens (AP), announced on Tuesday a €30.5 million penalty against the company for multiple breaches of the European Union’s General Data Protection Regulation (GDPR). This fine exceeds previous sanctions imposed on Clearview AI by regulators in France, Italy, Greece, and the U.K. in 2022.
Clearview AI built its database by scraping the internet for selfies and other images without the consent of the individuals depicted. This practice led to the accumulation of a massive database containing 30 billion images, including those of Dutch citizens, which the AP confirmed during its investigation. The AP’s investigation began in March 2023 after receiving complaints from three individuals who alleged that Clearview AI failed to comply with data access requests. The GDPR grants EU residents specific rights regarding their data, including the right to request access to their data or demand its deletion.
In addition to the €30.5 million fine, the AP has ordered an additional penalty of up to €5.1 million for continued non-compliance, warning that the total fine could reach €35.6 million if Clearview AI continues to ignore the regulator’s demands. The Dutch authority is also considering holding Clearview AI’s executives personally liable for these violations, a significant development in the ongoing scrutiny of the company’s practices.
One of the most significant GDPR breaches cited by the AP is the creation of a database through the collection of individuals’ biometric data without a valid legal basis. The AP emphasized that Clearview AI should never have compiled this database, especially given the sensitive nature of the biometric data involved, which includes face-derived unique biometric codes akin to fingerprints. The collection and use of such data are prohibited under GDPR, with only a few statutory exceptions, none of which apply to Clearview AI.