Dutch Supervisory Authority imposes a fine on Clearview because of illegal data collection for facial recognition

3 September 2024

Background information

  • Date of final decision: 16 May 2024
  • National case
  • Legal Reference (s): Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data),  Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject),  Article 14 (Information to be provided where personal data have not been obtained from the data subject), Reference,  Article 15 (Right to access by the data subject),  Article 27 (Representatives of controllers not established in the Union),  Article 84 (Penalties)
  • Decision: Administrative fine,  Compliance order
  • Key words: Administrative fine, Algorithms, Biometrics, Data subject rights, Transparency, Lawfulness of processing, Representatives of controller

Summary of the Decision

 

Origin of the case  

Ex officio investigation, also several complaints regarding data subject rights.

 

Key Findings 

First, the Dutch Supervisory Authority (SA) finds that for the purpose of their 'Clearview for law-enforcement and public defenders' service, Clearview processes, without a legal basis to do so, personal data of data subjects who are within the territory of the Netherlands. In doing so, Clearview violates Article 5(1), opening words and subsection (a) of the General Data Protection Regulation (hereinafter: GDPR), read in conjunction with Article 6(1) GDPR. 

Second, for the purpose of said service, Clearview violates Article 9(1) GDPR, by processing a special category of personal data (biometric data) of data subjects who are within the territory of the Netherlands. 

Third, the Dutch SA finds that Clearview does not adequately inform data subjects. Consequently, Clearview acts contrary to Article 12(1) GDPR, read in conjunction with Article 14(1) and (2) GDPR, and contrary to Article 5(1), opening words and subsection (a) GDPR. 

Fourth, Clearview violated Article 12(3) GDPR, read in conjunction with Article 15 GDPR by not responding to two access requests by data subjects. And fifth of all, since Clearview does not facilitate data subjects within the territory of the Netherlands in exercising their right of access, they violate Article 12(2) GDPR, read in conjunction with Article 15 GDPR.

The circumstance that Clearview has not designated a representative in the European Union within the meaning of Article 4, opening words and paragraph 17 GDPR, although they are obliged to do so pursuant to Article 27(1) GDPR, also constitutes a violation of the GDPR. 

 

Decision 

The Dutch SA has decided to fine Clearview AI Inc. (hereinafter: Clearview) a total amount of € 30 500 000.
The AP also decided to impose four orders subject to a penalty for non-compliance on Clearview, which orders relate to ending the still ongoing violations. 

 

For further information: 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

  翻译: