Clearview AI and the AVG: on violations by third-country companies

It is impossible to imagine our daily lives without the use of the Internet. It’s how we share vacation photos, plan routes and keep in touch with friends and family. Many advantages. Unfortunately, we also increasingly have to deal with the dark sides of the Internet. For example, the Personal Data Authority (AP) recently fined the U.S. company Clearview AI 30.5 million euros for violating the General Data Protection Regulation (AVG).

This company offers facial recognition technology. For this purpose, it has built a database. This database consists of more than 30 billion images of people around the world. The images come from social media and other public sources, such as blogs, news sites and personal websites. In this article, I discuss Clearview AI’s methods and address the AP’s fine.

Scraping

The American company builds its database by using so-called scraping software. This is how it collects images from online (public) sources. According to the AP, these images are stored in the database without (explicit) consent. This is undesirable, because as a result most people do not know that their image is being used in this way. Not for nothing did the AP rule in May that scraping by private companies and individuals is prohibited in almost all cases. See also this article by my colleague Jop Fellinger about this.

Clearview AI used this scraping software to build its database. According to the AP, each face in the database is linked to a unique biometric code, similar to a fingerprint. The company sells access to this database to users of the software. For example, police and investigative agencies. They can upload that image with the goal of finding a match. This image is then matched with the corresponding unique biometric code, allowing the person’s identity to be identified.

Violation of the AVG

The fine imposed by the AP on Clearview AI is primarily based on violation of the AVG. The AVG is the most important regulation in Europe regarding the protection of personal data. Personal data is any information that relates to an identified or identifiable natural person. Examples include names and addresses.

The aforementioned unique biometric code is what is known as special personal data. This type of data is so privacy-sensitive that its processing could have a major impact on a person’s privacy. According to the AVG, this data must be extra well protected. In principle, the collection and use of such data is prohibited unless specific exceptions apply. Clearview AI, according to the AP, does not comply with these exceptions and claims that the company illegally collects and processes this data.

In addition, Clearview AI does not meet the transparency requirements of the AVG, according to the AP. The AP states that the company does not provide enough information to individuals about the use of their images and special personal data. Under the AVG, individuals have the right to know what data has been collected about them. The AP alleges that Clearview AI is ignoring these access requests. Another factor that played a role in the amount of the fine is that, according to the AP, the company uses the unlawful data processing as a revenue model. It also took into account that the processing has been going on since 2019 and is still continuing.

Will Clearview AI pay the fine?

Clearview has not just been fined by the AP. The company has previously been fined by privacy regulators in Italy, Greece and France. It is known that the company has not paid at least the fines in Greece and France.

Clearview states in a statement to RTL news that it does not fall within the scope of the AVG. It is based in the US and because the AVG is European regulation, it would not be affected. Also, Clearview would have no business activity, customer or branch in the Netherlands. According to the AP, the claim about the lack of scope is incorrect: The company processes data of Dutch citizens and thus falls within the scope of the AVG. The company did not appeal the fine, according to the AP. That seems consistent with its view that it has nothing to do with the AVG.

So it is likely at this point that Clearview AI will not pay the fine. There is also no indication now that it will comply with the AVG. If Clearview does not take action in response to the AP’s fine, the question is how the AP can achieve its goal. Invoking the AVG seems like a paper tiger.

The AP is therefore exploring other options for taking action against Clearview. For example, by holding the company’s management personally liable. Earlier, we discussed the phenomenon of directors’ liability in detail. Whether pursuing that route can have the effect desired by the AP remains to be seen. We will keep an eye on any developments.

Incidentally, the AP warns Dutch companies against using Clearview AI. If the AP notices that Dutch companies are using the software, they can expect a significant fine, according to the regulator.

Questions?

Not only Clearview AI has to deal with the AVG and the AP. Does your company process personal data? If so, you too must comply with the rules from the AVG. We have extensive experience in supporting companies in complying with the AVG. Or do you have a question about directors’ liability? Then contact one of our lawyers by mail, telephone or fill in the contact form for a free initial consultation. We will be happy to think along with you.