The Dutch Data Protection Authority (Dutch DPA) has levied a €30.5 million ($33.7 million) fine against Clearview AI, a facial recognition company, for breaching the General Data Protection Regulation (GDPR) in the European Union (E.U.). The fine was imposed for creating an “illegal database with billions of photos of faces,” including those of Dutch citizens.
“Facial recognition is a highly intrusive technology that cannot be indiscriminately applied worldwide,” stated Aleid Wolfsen, chairman of the Dutch DPA, in a press release.
“If your photo is on the internet – which is the case for most of us – you could end up in Clearview’s database and be tracked. This isn’t a dystopian fantasy; it’s a reality happening now, not just in China.”
Clearview AI has faced regulatory scrutiny in multiple countries, including the U.K., Australia, France, and Italy, for harvesting publicly available online information to create a database of over 50 billion facial images.
These images are linked to unique biometric codes, which are then sold as part of intelligence and investigative services to law enforcement agencies, helping them “quickly identify suspects, persons of interest, and victims to solve and prevent crimes.”
The Dutch DPA accused Clearview of collecting facial data without individuals’ consent or knowledge and of failing to adequately inform those in its database about how their data is being used. The company also lacks a mechanism for people to access their data upon request.
Currently, only residents of six U.S. states – California, Colorado, Connecticut, Oregon, Utah, and Virginia – can access, delete, or opt out of Clearview’s profiling.
The DPA further alleged that Clearview continued its violations even after the investigation, ordering the company to cease its actions immediately or face an additional fine of €5.1 million ($5.6 million). Dutch companies are also banned from using Clearview’s services as part of the ruling.
“We will now explore whether we can hold the company’s management personally liable and impose fines on them for overseeing these violations,” Wolfsen added.
“Directors can be held accountable if they are aware of GDPR violations, have the power to stop them, yet fail to do so, thereby consciously allowing the violations.”
In response, Clearview claimed it is not subject to E.U. data protection regulations as it lacks a business presence in the Netherlands or the E.U. and called the ruling “unlawful.”
In June, Clearview settled a lawsuit in Illinois over facial recognition privacy violations by offering plaintiffs a 23% stake in its future value rather than a traditional monetary settlement, while admitting no wrongdoing.
Source: TheHackerNews
