AEPD – Court Ruling (Spain, 2024)

Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images. In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form. On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of Article 3(2) GDPR. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case. The data subject initiated proceedings before the Administrative Chamber of Spain’s Audiencia Nacional (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data