Dutch DPA fines US-based facial recognition company for GDPR breach

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens/AP) has also warned that it is illegal for Dutch organisations to use Clearview AI's services.

Clearview AI is a commercial business that offers facial recognition services to intelligence and investigative services. Customers can provide camera images to find out the identity of people shown in the images. For this purpose, Clearview has a database with more than 30 billion photos of people. Clearview scrapes these photos automatically from the internet. and then converts them into a unique biometric code per face. The people whose faces are scanned are not aware of this and have not given explicit consent to the processing of their personal data.

The AP said that Clearview AI has seriously violated the EU’s General Data Protection Regulation (EU GDPR) in several points and was never allowed to build the database with unique biometric codes in the first place. It also said that the company failed to inform people about the fact that the company uses their photo and to provide them with a possibility to access their data, as they have a right to under the EU GDPR.

In its decision notice, the AP concluded that Clearview AI’s processing activities were within the territorial scope of EU GDPR because it amounted to monitoring the behaviour of individuals within the EU. The AP also found that Clearview AI’s processing was within the material scope of EU GDPR.

Andre Walter, an Amsterdam-based data protection expert at Pinsent Masons, said: “In the EU, there is an exception for competent authorities for the purpose of the prevention, investigation, detection, prosecution or punishment of criminal offences, which does not fall within the scope of the EU GDPR. The Dutch DPA ruled that Clearview AI could not rely on this exception, as the processing involved in creating and maintaining the database of images was found to be processing by Clearview AI as a private entity. This is despite the fact that, according to the AP, Clearview says it only provides its service to intelligence and law enforcement agencies. The AP emphasises that the exemption should be interpreted strictly, and as Clearview is a private company it is in scope of the EU GDPR.”

According to the AP, Clearview “did not object to the decision and therefore cannot appeal the fine”.

Clearview has also collected faces of UK citizens and has been fined for this by the UK data protection authority, the Information Commissioner’s Office (ICO). Malcolm Dowden, a data protection expert at Pinsent Masons, said: “From a UK perspective perhaps the most striking aspect of the AP’s decision notice is their finding that Clearview AI’s processing fell within the material scope of EU GDPR as well as being caught by its extraterritorial reach provisions in Article 3. This is particularly interesting because the AP’s finding differs from the view reached by the UK First Tier Tribunal (FTT) in October 2023 when Clearview successfully appealed against the ICO’s imposition of a £7.5million fine.”

Back then, the FTT found that the ICO had no jurisdiction to impose a fine on Clearview because its processing was outside the territorial scope of UK GDPR post-Brexit because - unlike EU GDPR - UK GDPR includes an article that excludes processing that immediately before the Brexit implementation date was outside the scope of EU law. It also found that the processing was outside the material scope of the pre-Brexit GDPR. The reference to “pre-Brexit GDPR” is essentially a reference to EU GDPR.

“Consequently, the FTT’s October 2023 decision indicated its view that Clearview’s processing ought not to be regarded as within scope of EU GDPR. Crucially, the FTT considered processing by Clearview to be ‘related’ to that of their client law enforcement and national security bodies which - although not explicitly stated - seems to have meant that it was regarded as processing for and within the course of the activities of those law enforcement and national security clients”, Dowden said.

But the AP decision takes a different view.  It emphasises that the exceptions at EU GDPR Article 2(2) “should be interpreted strictly” and should apply only to processing carried out by, or directly on behalf of, law enforcement agencies and national security bodies. “That does not include the preparatory processing carried out by Clearview AI in creating and maintaining the database of images, or applying ‘vectors’ to images to prepare them for matching with ‘probe images’ as and when supplied by clients,” the AP said.

Finding that Clearview’s own processing - as a private entity - did not fall within the EU GDPR Article 2(2) exceptions, the AP was able to conclude that Clearview’s processing was within the territorial scope of EU GDPR.

Dowden said: “Shortly after the FTT decision the ICO announced its intention to appeal. Although Clearview AI had by then announced that it would no longer provide services to EU or UK law enforcement bodies it seemed that it had nonetheless retained images of EU and UK citizens. The AP’s decision and the size of the fine reflects the determination of EU supervisory authorities to compel Clearview to cease processing those images. It remains to seen whether the AP’s action refuels the ICO’s determination to pursue an appeal and reinstate its own enforcement action against Clearview.”