Clearview Al Inc. – €9,000,000 Fine (United Kingdom, 2022)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such as image tags and geolocation. Clearview AI no longer offers its services in the UK, but it does in other countries, which means that the company continues to use personal data of UK residents. In the course of its investigation the DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis. Furthermore, in order to exercise their rights under the GDPR, such as the right of access under Art. 15 GDPR, data subjects had to provide Clearview with additional personal data by submitting a photograph of themselves that could be matched against the Clearview database. According to the DPA, this constitutes a significant impediment and deterrent to the exercise of such rights. In addition, the DPA found that the company had violated several principles of the GDPR. For example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated violated the principle of storage limitation by not providing a data retention policy and thus not being able to ensure that personal data is not held for longer than necessary. Further, Clearview failed to conduct a privacy impact assessment despite the high risk to data subjects' data.