AEPD – Court Ruling (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Spanish Data Protection Agency decided that it could not handle a complaint against Clearview AI because the company is based in the U.S. and does not fall under EU regulations. This is significant because it raises questions about how EU privacy laws apply to foreign companies. Users in the EU may not have the same protections when dealing with non-EU companies.
What happened
Clearview AI was not held accountable by the Spanish DPA for failing to respond to a user's data access requests.
Who was affected
A user who tried to access their data and object to processing by Clearview AI was affected by the company's lack of response.
What the authority found
The court ruled that the Spanish Data Protection Agency lacked jurisdiction over Clearview AI under GDPR's Article 3(2).
Why this matters
This case highlights the challenges of enforcing privacy rights against foreign companies. It suggests that users in the EU may need stronger protections when dealing with non-EU service providers.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images. In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form. On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of Article 3(2) GDPR. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case. The data subject initiated proceedings before the Administrative Chamber of Spain’s Audiencia Nacional (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for AEPD in ES
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. AEPD - Spain (2024). Retrieved from cookiefines.eu
Last updated: