Clearview AI Inc – €20,000,000 Fine (Greece, 2022)

The controller (Clearview AI) sells personal identification services, including facial recognition software to law enforcement agencies in the US. The data subjects are the people in Greece. The data subject submitted an access request with the controller. However, she was not satisfied with how the controller handled her request. Homo Digitalis, a non-profit dedicated to the protection of internet users in Greece, submitted a complaint with the DPA on behalf of the data subject. The DPA noted that GDPR is applicable, because Clearview AI uses its software to monitor the behavior of people in Greece, even though the company is based in the U.S. and does not offer its services in Greece or the EU. The DPA further found that the data processing had no legal basis and that there was a lack of transparency concerning the processing operations. Collecting images for a biometric search engine is illegal. The DPA held that the controller violated the principles of lawfulness and transparency (Article 5(1)(a), 6 and 9 GDPR) as well as its obligations under Article 12, 14, 15 and 27 GDPR. The DPA fined the controller €20,000,000 for these violations. The DPA further ordered the controller (1) to satisfy the data subject's access request. In addition, (2) to stop the collection and processing of personal data of subjects located in Greek territory, using methods involved in the facial recognition service and (3) to delete such existing data. Lastly the DPA ordered the controller (4) to appoint a representative in the EU, to enable EU citizens to exercise their rights more easily and so regulators have a contact person in the EU.