The Dutch Data Protection Authority (DPA) has slapped a substantial $33 million fine on U.S.-based facial recognition company Clearview AI for breaching the General Data Protection Regulation (GDPR).
The penalty highlights Clearview’s creation of an extensive, unauthorised facial recognition database that includes millions of images of European citizens, including those from the Netherlands.
Aleid Wolfsen, the chairman of the Dutch DPA, expressed serious concerns about the misuse of facial recognition technology, stating:
“Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world.
If there is a photo of you on the Internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked.
This is not a doom scenario from a scary film. Nor is it something that could only be done in China”
Clearview AI has come under scrutiny globally for scraping publicly accessible images from the internet to compile a vast database of over 50 billion facial images.
These images are converted into biometric data and sold to law enforcement agencies for identifying suspects, persons of interest, and victims.
The Dutch DPA’s investigation revealed multiple GDPR infringements by Clearview, including the unauthorized collection of individuals’ facial data without their consent or knowledge.
Furthermore, Clearview failed to adequately inform individuals in its database about how their data is being used, nor did it provide a clear mechanism for them to access or delete their information.
At present, Clearview only allows residents of six U.S. states—California, Colorado, Connecticut, Oregon, Utah, and Virginia—to access, delete, and opt out of profiling.
The company has argued that it is not subject to EU regulations because it lacks a physical presence in Europe, a claim the Dutch DPA firmly disputes.
In addition to the fine, the Dutch DPA has issued a directive for Clearview to immediately halt its unlawful activities or face an additional $5.6 million penalty.
Dutch companies are also prohibited from using Clearview’s services as part of the ruling.
“We are considering holding the company’s management personally accountable and imposing fines for their role in these GDPR violations,” Wolfsen added. “Directors who are aware of violations and have the power to prevent them but fail to do so could be held liable.”
