Clearview AI – Complaint Upheld (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's privacy authority ruled that Clearview AI violated data protection rules by collecting and storing personal images from the internet without a legal basis. Clearview, a US company, argued that GDPR didn't apply to them, but the authority disagreed. This decision highlights the importance of respecting European privacy laws, even for companies outside the EU.
What happened
Clearview AI collected and stored personal images from the internet without a legal basis, according to the Austrian privacy authority.
Who was affected
People in the EU whose images were scraped and stored by Clearview AI.
What the authority found
The Austrian authority decided that Clearview AI's data processing activities fell under GDPR, requiring a legal basis which they lacked.
Why this matters
This case underscores that non-EU companies can be subject to GDPR if they process data related to EU residents. Businesses outside the EU should be cautious about how they handle data from EU citizens.
GDPR Articles Cited
A data subject requested the controller – Clearview AI – to ban the processing of their personal data. Clearview is a US-based company whose business consists in scraping the web to collect pictures from several sources, finding correlations between pictures and indexing them. The database created in this way is accessible to Clearview’s clients by uploading a picture of the persons the clients are looking for. In this way clients have access to other pictures and related URLs. The data subject lodged a complaint with the Austrian DPA as Clearview has no establishment in the EU. According to the data subject, the controller unlawfully processed personal data without a legal basis in violation of Articles 6(1) and 9 GDPR. The controller also violated the principle of purpose limitation and 27(2) GDPR, as it did not establish a representative in the EU. The data subject asked the Austrian DPA not only to order the controller to ban the processing of their data, but also to prevent the controller from processing personal data of other people living in the EU. The controller claimed that GDPR was not applicable, as Clearview had no establishment in the EU, did not offer good or services in the EU, nor monitored people in the EU. The controller claimed that Clearview’s search tool gave access to less personal data than a search on general search engines. The controller did not analyse behaviour of data subjects whose picture were collected, nor profiled them in any way. The controller did not track users’ activities on the Internet, either. The data subject replied that a series of linked pictures was nothing else than another form of monitoring. Moreover, the scraping and indexing of new pictures relating to individuals was continuous: as soon as a new photo popped up on the internet, it was collected by the controller to update this monitoring. A comparison with general search engines was incorrect, as the controller used a biometric criterion and the search produced
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Clearview AI in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Clearview AI - Austria (2023). Retrieved from cookiefines.eu
Last updated: