Clearview AI gets its biggest GDPR penalties as Dutch regulator considers making executives personally accountable.
Clearview AI, the controversial U.S.-based facial recognition company, has recently faced significant repercussions from European regulators as the Dutch data protection authority, Autoriteit Persoonsgegevens (AP), imposed substantial fines on the company for violating the General Data Protection Regulation (GDPR). The AP fined Clearview AI €30.5 million, or $33.7 million, for various GDPR violations, marking the largest penalty the company has received in Europe to date.
The investigation into Clearview AI began in March 2023 after several complaints were filed regarding the company’s unauthorized collection and storage of personal data, including images of Dutch citizens. The AP found that Clearview AI had failed to comply with GDPR regulations, including the right of EU citizens to access and delete their personal data. In addition to the initial fine, the AP imposed an additional penalty of €5.1 million for ongoing non-compliance, bringing the total fine to €35.6 million.
One of the key issues identified by the AP was Clearview AI’s illegal gathering of biometric data to create a massive database of images without the consent of the individuals involved. The company was also found to have violated GDPR transparency requirements by failing to notify individuals whose data was being collected and stored.
In response to the fines, Clearview AI’s chief legal officer, Jack Mulcaire, argued that the company does not have a physical presence in the Netherlands or the EU, nor does it have customers in the region, and therefore should not be subject to GDPR regulations. However, the AP maintained that Clearview AI’s actions were in violation of GDPR principles, and the company had to face the consequences.
The AP’s ruling raises questions about the enforcement of GDPR penalties on companies operating outside the EU, such as Clearview AI. The company, which provides identity-matching services to government agencies and law enforcement, has faced similar privacy fines in other European countries but has not been cooperative in addressing the issues raised by regulators.
The Dutch AP is now exploring the possibility of holding Clearview AI executives personally accountable for GDPR violations. The agency is examining whether corporate directors can be held liable for breaches of privacy law and may face penalties for their involvement in ordering such infractions. This move aims to ensure that companies like Clearview AI cannot continue to disregard Europeans’ data rights without facing consequences.
In light of recent legal actions against tech executives, such as the arrest of Telegram founder Pavel Durov in France for content violations, the potential personal liability of Clearview AI’s management could serve as a deterrent to future privacy violations. Directors who are aware of GDPR breaches and fail to take action to prevent them may face individual repercussions, including restrictions on travel within the EU.
The case of Clearview AI highlights the challenges of regulating global tech companies and holding them accountable for privacy violations. As European regulators continue to crack down on data breaches and privacy infringements, the role of corporate executives in ensuring compliance with GDPR rules is coming under increased scrutiny. By considering personal liability for executives, regulators aim to strengthen enforcement mechanisms and promote greater accountability in the digital age.
