Clearview AI Inc. – €30,500,000 Fine (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Clearview AI was fined for using facial recognition technology without proper consent from individuals. This is significant because it emphasizes the need for companies to respect people's privacy rights when using biometric data. The large fine reflects the seriousness of the violation.
What happened
Clearview AI was fined for processing biometric data without consent from individuals in the EU.
Who was affected
Individuals in the EU whose images were scraped and stored in Clearview AI's database.
What the authority found
The authority found that Clearview AI violated GDPR by not obtaining consent for processing biometric data.
Why this matters
This ruling sends a strong message that companies must obtain consent when using sensitive biometric data. It also highlights the increasing scrutiny on facial recognition technologies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller, Clearview Inc., provides facial recognition services. Among others, it offers a service called “Clearview for law-enforcement and public defenders”. This service allows governments and investigative authorities to search “by image” in a database of over 30 billion pictures. In this way, the user of the service can upload a picture of a data subject and find out which other photos of the database show the same data subject. The controller had created the database by scraping images uploaded on the Internet, including the ones on social media platform. The controller did not set any limitations in terms of geographical location or nationality, so also personal data concerning EU/EEA data subjects (including Dutch ones). Some data subjects noted that their picture was present in this database and, therefore, filed a complaint with the DPA. In addition, the DPA decided to open an ex officio investigation on this matter. The processing of biometric data The DPA found that the data processed by the controller fall into the definition of biometric data under Article 4(14) GDPR. First of all, the DPA pointed out that the mere fact that individuals are shown recognizably in photos is not enough to consider these photos biometric data. On the contrary, this is the case when they are processed through a specific technical means allowing the unique identification or authentication of a natural person. Secondly, the DPA noted that the controller uses an algorithm to convert the collected photos and the uploaded photos into vectors and stores the pictures and the corresponding vectors into a database. Therefore, the controller is using technical means. Thirdly, the DPA held that the purpose of these technical means is allowing the unique identification of natural persons. Indeed, the search function compares the vectors of the uploaded pictures with the other pictures in the database and show in which other photos the data subject is being shown. It is also poss
Related Enforcement Actions (0)
No other enforcement actions found for Clearview AI Inc. in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 May 2024
Authority
Autoriteit Persoonsgegevens
Fine Amount
€30,500,000
About this data
Cite as: Cookie Fines. Clearview AI Inc. - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: