Embattled facial recognition company Clearview AI continues to rack up fines and penalties around the world as the Italian data protection agency has reached a decision against it, assessing a €20 million penalty for its history of scraping photos from social media sites and other public sources.
Clearview AI built a database of over 10 billion facial images by taking publicly posted pictures from Facebook, Instagram and other sources, usually without the knowledge of the platform or permission from the data subjects. The company’s system is primarily used by law enforcement agencies for identification of suspects. It has found itself in serious trouble around the world as these actions have violated a series of biometric privacy laws, data handling laws and platform terms of service. The ruling by Italy’s DPA establishes that the company has also violated the terms of the EU’s General Data Protection Regulation (GDPR) with its actions.
Clearview AI has previously received GDPR violation decisions from the DPAs of Hamburg, France and the United Kingdom. Though it does not maintain a business presence in Europe, it has been found to scrape the data of European citizens for its facial recognition systems and has been ordered to remove these subjects from its database in previous rulings.
The fine of €20 million from the Italian DPA is roughly on par with the fine the facial recognition company received from the UK ICO; France and Hamburg let it escape with an order to delete data collected on residents of each nation. These are among the largest financial penalties the company has faced as of yet, but it stands to face potentially much greater losses from a collection of class action suits brought after it was found to have violated Illinois biometric data privacy law by scraping Facebook for pictures.
Clearview AI will also be forced to delete the data it has collected on Italian citizens, marking another country its business is unwelcome in. The company was essentially run out of Canada in early 2021 as that country’s top privacy watchdog ruled its facial recognition services illegal under national law. Clearview AI was not formally banned from the country, but orders from provinces for law enforcement agencies to stop using it led to it voluntarily withdrawing its business.
The Italian DPA identified multiple GDPR violations: collecting and processing facial recognition data without adequate legal basis, failure to meet transparency requirements, violation of purpose limitation, and breaches of rules regarding allowed amounts of personal data storage. The agency also took issue with Clearview AI’s collection of geolocation data.
In a response to the ruling CEO Hoan Ton-That argued that Clearview AI should not be subject to the rules of the GDPR as it does not have a business presence in Europe. It may be true that the firm does not presently have any European customers, but it has offered trials of its facial recognition product in several EU countries in the past including Sweden, Finland, Belgium and Spain.
Given that the company maintains no EU office or presence, it could prove difficult to actually collect the fine. The enforcement action is more relevant in terms of keeping Clearview from any future plans for expansion in the region, as customers could find themselves in turn hit with GDPR fines for using the product. The company also faces additional outstanding complaints in Austria, France and Greece.
Clearview AI continues to survive, mostly on strength of US business
Though Clearview AI increasingly finds itself unwelcome in localities around the world, the business is managing to hang in largely due to contracts in the United States. It has been run out of Illinois due to that state’s unique biometric privacy law, and is facing some lawsuits in California due to potential violation of that state’s data privacy regulations, but is widely used both by federal agencies and a number of major state and city police departments. It has also been linked to Interpol and to agencies in Saudi Arabia and the United Arab Emirates.
The company is poised to lose all of the $30 million it raised in a recent funding round if it can be made to actually pay its EU fines, but Clearview is making moves as if it plans to expand. It announced plans to patent its biometric database and to expand beyond law enforcement uses, claiming that it will have 100 billion facial images in its database by the end of 2022. The company apparently has plans to move into the monitoring of gig workers, and is looking to expand its biometric surveillance offerings to gait analysis, augmented reality glasses and fingerprint scanning. Clearview has previously ran into trouble in offering its services to private businesses, with an uproar in 2020 when its client list was leaked and it was discovered that it had been offering free trials to retail stores and banks.
In the meantime, the facial recognition firm may find its core business of US federal government contracts being threatened by proposed legislation that has support from both sides of the aisle. A coalition of senators and representatives has penned a letter to the Department of Homeland Security urging agencies to discontinue the use of the service due to privacy issues, and senators Ron Wyden and Ron Paul have introduced a bipartisan bill to block public money from going to the company given that it obtained the contents of its database in illicit ways.