Clearview AI fined $20 million, banned from processing biometric data in Greece after GDPR violations
Greece’s privacy authority has fined facial recognition company Clearview AI €20 million for violating parts of Europe’s General Data Protection Regulation (GDPR).
The Hellenic Data Protection Authority (HDPA) released a 22-page decision demanding Clearview AI stop processing biometric data on individuals in Greece and said the company must delete all the data it has already amassed.
The decision stems from a complaint filed by a number of privacy organizations – including Homo Digitalis, Privacy International, Hermes Center, and noyb – in May 2021 with authorities in Greece, the U.K., Italy, Austria and France.
The complaint questioned Clearview AI’s practice of scrapping selfies and photos from public social media accounts and including it in its facial recognition database of some 10 billion facial images. The company sells its facial recognition tools to law enforcement agencies around the world and says it wants to reach 100 billion images in the coming years.
Greek officials said Clearview AI violated several stipulations in the GDPR – articles 5, 6, 9, 12, 14, 15 and 27 – most of which center around the issue of consent. Clearview doesn’t ask people whether it can include their images in its database.
Homo Digitalis said the fine is “another strong signal against intrusive business models of companies that seek to make money through the illegal processing of personal data.”
“At the same time, it sends a clear message to law enforcement authorities working with companies of this kind that such practices are illegal and grossly violate the rights of data subjects,” the organization said.
This is the largest GDPR violation fine the Hellenic Data Protection Authority has ever issued, according to Homo Digitalis.
In a statement to The Record, Clearview AI said it does not have a place of business in Greece or the EU and it does not have any customers in Greece or the EU. The company also claimed its product has never been used in Greece, and “does not undertake any activities that would otherwise mean it is subject to the GDPR.”
Noyb, one of the groups that filed the initial complaint, explained that the fine and the ruling made clear that the GDPR is applicable because Clearview AI uses its software to monitor the behavior of people in Greece, even though the company is based in the U.S. and does not offer its services in Greece or the EU.
“Collecting images for a biometric search engine is illegal. Not only would Clearview now have to delete all hitherto collected images of Italian citizens, but also the biometric information that is needed to search for a specific face,” the privacy organization said in a statement.
“The Greek authority also ordered Clearview to appoint a representative in the EU, to enable EU citizens to exercise their rights more easily and so regulators have a contact person in the EU.”
Noyb noted that the decision from Greek officials comes after similar rulings from privacy authorities in France and Italy. The U.K. fined the company more than £7.5 million in May, ordering it to stop collecting information about U.K. residents and delete what it already has in its database.
The organization said officials in Austria are also preparing a ruling that may be released in the coming months.
Clearview AI’s products have alarmed privacy and security advocates for years, given that the company scrapes publicly-available web pages — like social media profiles and photo-sharing accounts — for data it can feed to its algorithms.
In May, Clearview AI agreed to a court settlement that will ban the company from selling its huge database of faceprints to private businesses or individuals anywhere in the U.S., a move that the American Civil Liberties Union called a big victory for privacy advocates.
After the ruling, Clearview AI CEO and founder – told Click Here, The Record’s podcast unit, that the settlement “doesn’t change anything that we’re doing on a material level.”