A controversial facial recognition tech company behind a widely-used face image search engine has been fined approximately $33 million in the Netherlands for serious data privacy violations.
According to the Dutch Data Protection Authority (DPA), Clearview AI built an illegal database with billions of photos of faces by crawling the web without gaining consent, including from people in the Netherlands. Clearview AI’s technology, which has been banned in some US cities over concerns about its invasive nature, uses more than 40 billion face images from the web without any geographical or national limitations.
Perhaps most concerning, the DPA found that Clearview AI also provides facial recognition software for identifying children, thereby indiscriminately processing personal data of minors. By training on face image data, the technology enables the upload of a photo of anyone to search for matches on the Internet, making those appearing in search results easily identifiable. Although marketed as a tool for law enforcement, the DPA stated that Clearview AI’s database casts too wide a net.
The processing of personal data through Clearview AI’s database is highly invasive, offering clients a comprehensive picture of individuals’ lives, the DPA said. Clearview AI had no legitimate interest under the European Union’s General Data Protection Regulation (GDPR) for its invasive data collection, Dutch DPA Chairman Aleid Wolfsen added.
To protect Dutch citizens’ privacy, the Dutch DPA imposed the $33 million fine, which could increase by about $5.5 million if Clearview AI does not comply. The company was also ordered to stop processing personal data, including sensitive biometric data, and update its privacy policies to inform Dutch users of their GDPR rights within three months.
However, Jack Mulcaire, Clearview AI’s chief legal officer, maintains that the company is not subject to the GDPR, citing that it does not have a place of business, customers, or activities in the Netherlands or the EU. Mulcaire labeled the decision as unlawful and unenforceable.
The DPA disagreed, stating that GDPR applies as Clearview AI gathers personal information about Dutch citizens without their consent and fails to allow access to this data upon request. Additionally, Dutch authorities are exploring ways to ensure that Clearview stops the violations, including potentially holding the company’s directors personally responsible.
For further details, please refer to the full Ars Technica report.