Dutch privacy watchdog fines Clearview AI $34 million for ‘illegal’ database of faces

The Netherlands’ top privacy regulator announced Tuesday that it has fined the facial recognition technology company Clearview AI €30.5 million ($34 million) for creating what it called an illegal database of facial images.

The Dutch Data Protection Authority (Dutch DPA) said it will also levy a fine of up to €5 million ($5.5 million) if Clearview AI does not comply with the order.

The American facial recognition company has not fought the decision resulting from the data privacy watchdog’s investigation and therefore cannot appeal the fine, the Dutch DPA said in a statement, in which it also warned companies that it is illegal to use Clearview AI services.

“Clearview has seriously violated the privacy law General Data Protection Regulation (GDPR) on several points: the company should never have built the database and is insufficiently transparent,” the Dutch DPA statement said.

The GDPR is a European Union law that regulates the processing and transfer of personal data. It took effect in 2018 and is considered one of the world's toughest privacy laws.

The facial recognition firm should not have created the photo database, the Dutch DPA said, and should not have linked photos with “unique biometric codes” and other information.

“This especially applies for the codes,” the statement said. “Like fingerprints, these are biometric data. Collecting and using them is prohibited.”

Clearview AI did not respond to a request for comment.

The Dutch DPA pointed to how Clearview scrapes photos from the internet and does not obtain subjects’ consent when doing so or creating the linked code.

Last week, the Dutch DPA fined Uber €290 million ($324 million) for collecting sensitive data from European drivers — including location data, photos and criminal and medical records — before shipping it to the U.S. without adequate data protection measures.

In a statement outlining its charges against Clearview, the Dutch DPA noted that the firm is a commercial business whose customers can provide camera images to find out who people are, culling identities from a database with more than 30 billion photos of individuals. 

“Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,” Dutch DPA chairman Aleid Wolfsen said in a statement. 

“If there is a photo of you on the Internet – and doesn't that apply to all of us? – then you can end up in the database of Clearview and be tracked,” Wolfsen added. “This is not a doom scenario from a scary film.”

In addition to lambasting Clearview for building its database of faces to begin with, the Dutch DPA criticized the company for what it called its lack of transparency..

“Clearview informs the people who are in the database insufficiently about the fact that the company uses their photo and biometric data,” the Dutch DPA statement said. 

The AI company must show consumers what information it has collected on them if they ask, but does not do so, the Dutch DPA said.