Clearview AI Inc. – €30,500,000 Fine (Netherlands, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller, Clearview Inc., provides facial recognition services. Among others, it offers a service called “Clearview for law-enforcement and public defenders”. This service allows governments and investigative authorities to search “by image” in a database of over 30 billion pictures. In this way, the user of the service can upload a picture of a data subject and find out which other photos of the database show the same data subject. The controller had created the database by scraping images uploaded on the Internet, including the ones on social media platform. The controller did not set any limitations in terms of geographical location or nationality, so also personal data concerning EU/EEA data subjects (including Dutch ones). Some data subjects noted that their picture was present in this database and, therefore, filed a complaint with the DPA. In addition, the DPA decided to open an ex officio investigation on this matter. The processing of biometric data The DPA found that the data processed by the controller fall into the definition of biometric data under Article 4(14) GDPR. First of all, the DPA pointed out that the mere fact that individuals are shown recognizably in photos is not enough to consider these photos biometric data. On the contrary, this is the case when they are processed through a specific technical means allowing the unique identification or authentication of a natural person. Secondly, the DPA noted that the controller uses an algorithm to convert the collected photos and the uploaded photos into vectors and stores the pictures and the corresponding vectors into a database. Therefore, the controller is using technical means. Thirdly, the DPA held that the purpose of these technical means is allowing the unique identification of natural persons. Indeed, the search function compares the vectors of the uploaded pictures with the other pictures in the database and show in which other photos the data subject is being shown. It is also poss
GDPR Articles Cited
The controller, Clearview Inc., provides facial recognition services. Among others, it offers a service called “Clearview for law-enforcement and public defenders”. This service allows governments and investigative authorities to search “by image” in a database of over 30 billion pictures. In this way, the user of the service can upload a picture of a data subject and find out which other photos of the database show the same data subject. The controller had created the database by scraping images uploaded on the Internet, including the ones on social media platform. The controller did not set any limitations in terms of geographical location or nationality, so also personal data concerning EU/EEA data subjects (including Dutch ones). Some data subjects noted that their picture was present in this database and, therefore, filed a complaint with the DPA. In addition, the DPA decided to open an ex officio investigation on this matter. The processing of biometric data The DPA found that the data processed by the controller fall into the definition of biometric data under Article 4(14) GDPR. First of all, the DPA pointed out that the mere fact that individuals are shown recognizably in photos is not enough to consider these photos biometric data. On the contrary, this is the case when they are processed through a specific technical means allowing the unique identification or authentication of a natural person. Secondly, the DPA noted that the controller uses an algorithm to convert the collected photos and the uploaded photos into vectors and stores the pictures and the corresponding vectors into a database. Therefore, the controller is using technical means. Thirdly, the DPA held that the purpose of these technical means is allowing the unique identification of natural persons. Indeed, the search function compares the vectors of the uploaded pictures with the other pictures in the database and show in which other photos the data subject is being shown. It is also poss
Related Enforcement Actions (1)
Other enforcement actions involving Clearview AI Inc. in NL
Details
Fine Date
16 May 2024
Authority
Autoriteit Persoonsgegevens
Fine Amount
€30,500,000
GDPRhub ID
gdprhub-8243About this data
Cite as: Cookie Fines. Clearview AI Inc. - Netherlands (2024). Retrieved from cookiefines.eu
Last updated: