Amsterdam, September 3, 2024 — The Dutch Data Protection Authority (DPA) has imposed a hefty fine of $33.7 million on the U.S.-based facial recognition company, Clearview AI, for significant violations of the European Union’s General Data Protection Regulation (GDPR). The company was found to have built an extensive and illegal database consisting of more than 30 billion facial images, including those of Dutch citizens, without their consent.
Clearview AI, a controversial firm known for its work with law enforcement agencies, developed a system that converts facial images into unique biometric codes. These codes, derived from images scraped from social media and other online sources, enable the identification of individuals with high accuracy. However, the DPA’s investigation revealed that the company did not sufficiently inform the individuals whose data it collected and failed to provide access to the data when requested. These actions are in clear violation of the GDPR, which mandates transparency and user control over personal data.
The DPA’s decision underscores the importance of safeguarding personal privacy in an era where technology can easily overstep legal and ethical boundaries. Aleid Wolfsen, chairman of the DPA, emphasized that the misuse of such powerful technology must be halted. “This really shouldn’t go any further,” Wolfsen said, stressing the need for strict regulation and enforcement.
In addition to the fine, the DPA has warned Clearview AI that it could face an additional penalty of $5.6 million if it does not comply with the order to cease its violations. This includes deleting the illegally obtained data and halting further collection practices that breach GDPR guidelines. The agency also indicated that companies using Clearview’s services within the Netherlands would be subject to similar scrutiny and potential fines.
This ruling reflects the growing concern among European regulators about the unregulated use of facial recognition technology. The case of Clearview AI is particularly alarming given the scale of the data involved and the potential for misuse. The company has previously faced legal challenges and fines in other countries, including the United Kingdom and France, for similar violations.
As the global debate over privacy rights continues, this case serves as a critical reminder of the need for robust legal frameworks to protect individuals from the unauthorized use of their personal data. The Dutch DPA’s decision marks a significant step in enforcing these protections and sends a clear message to companies operating in the EU: compliance with data protection laws is not optional.
For Clearview AI, the path forward will require significant changes in its business practices, particularly in how it handles and processes data. Whether the company can adapt to these regulatory demands remains to be seen, but the stakes are high, not just for Clearview AI, but for the future of facial recognition technology and data privacy worldwide.
