Judge's hammer gavel showing GDPR fine for facial recognition database

Dutch Regulator Hits Clearview AI With Large GDPR Fine for Illegal Facial Recognition Database

Despite formally pulling out of the EU market, Clearview AI continues to face legal difficulties as its facial recognition database has drawn a €30.5 million ($33.7 million) GDPR fine from the Dutch data protection agency.

Clearview AI had pulled out of the EU market entirely by 2021 after a series of complaints and an eventual ruling by France’s CNIL that the collection of pictures for its facial recognition database was illegal under regional law and had to be stopped. The company is not known to have ever done much business in the bloc, but regulatory action against its photo scraping remains difficult there as it also never established an EU headquarters and thus claims to not be subject to GDPR fines or other enforcement actions.

Clearview AI refuses to acknowledge GDPR fines

The controversial facial recognition company, which initially offered services to retailers for store use before limiting its clientele to government and law enforcement agencies, has been in operation since 2017 but has also been intentionally evasive about the locations of its offices and its employees. Its actions came to public attention in early 2020 thanks to an investigative report published in the New York Times. The company drew legal attention all over the world when it was revealed it was scraping the user-generated content of sites such as Facebook, Twitter and YouTube to feed its facial recognition database, usually without the knowledge or consent of these sites or their users.

In addition to the GDPR fine, Clearview AI faces a potential added amount of five million euros to be assessed if it does not comply with an order to remove subjects from its facial recognition database. However, history shows that the company will simply ignore the decision. Clearview AI did not formally object to the DPA’s decision, which leaves it liable for the fine. However, the company has repeatedly stated to the media that it believes it is not subject to GDPR terms as it does not have any customers in the EU and maintains no physical presence there.

Facial recognition database still contains EU citizen information

Though Clearview AI does not appear to have ever done much business in the EU beyond offering trials to certain law enforcement agencies in certain countries, the company is thought to have scooped up millions of bloc residents in its indiscriminate global dragnet of scraping any available pictures. Clearview is not offering any indication that it has removed these people from its facial recognition database.

The Dutch DPA has acknowledged that Clearview AI has thus far shown little regard for EU law, stating that the agency is looking into alternate ways to penalize the company and suggesting that company directors might be held personally liable if it can be determined that they were aware of the GDPR violations and chose not to remedy them.

The company had seemed to be on the ropes after a series of penalties following the 2020 expose, including reaching a settlement of about $50 million in the state of Illinois and GDPR fines ranging from $9 million to $20 million from several different EU countries. Clearview seems to have largely ignored its European fines, however, and continues to operate with a customer base primarily made up of US law enforcement agencies (despite bans by some individual cities). In a June interview with the publication Biometric Update, CEO Hoan Ton-That said that the facial recognition database continues to collect images and is now up to 50 billion in total.

Clearview AI does offer a process for finding and removing images from their database upon request, but residents of Europe have noted that the process can be very slow (or never be concluded) and that the company’s constant internet crawling will likely just return those same images to the facial recognition database at some point in the future.

Clearview’s defense to date has been that it is scraping “publicly available information” and thus is doing nothing wrong, and that it cannot specifically identify EU residents via the processes it uses to exclude them from the facial recognition database. The decisions and GDPR fines brought against it may have more value in warding off other companies from attempting similar things in the bloc, as they can be used as a precedent in the case of a similar competitor setting up shop in Europe.

Clearview may be keeping its head above water by ducking and dodging EU GDPR fines, but it has also proposed a creative payment alternative for a collection of class action cases that span the US. In June it proposed giving a 23% stake in the company collectively to Americans that are in its facial recognition database.