After decisions by the French DPA and Italian DPA, the Greek DPA now also has fined Clearview for €20 million. Clearview AI sells facial recognition software to the US law enforcement agencies but it is no longer permitted to share biometric data of individuals in Greece. Which also leads to the example of Italy and France.
Clearview claims to have:
“the largest database of more than 10 billion facial images“
and the aim is to succeed in in reaching 100 billion facial images by next year in order to identify every person worldwide. This also includes the usage of Clearview AI’s software to monitor the behavior or people in Greece, even though the company is based in the US and does not offer any services in Greece or the European Economic Area. One might think that the GDPR does not apply in this case, but the ruling was very clear: the GDPR is applicable because the territorial scope applies.
The images are collected from social media accounts and other online sources by Clearview. However, the DPA’s ruling explains that collecting images for a biometric search engine is illegal, meaning that both the images and the biometric information should be deleted. Biometric data is a special category of personal data under the GDPR. This means that processing of biometric data is in principle prohibited, unless an exception applies under the GDPR or specific Member State law.
The Greek DPA further ordered Clearview to appoint a data protection representative to enable EU individuals to exercise their rights more easily, and to provide a contact point in the EU for regulators. This is a requirement under the GDPR when a non-EU company is processing EU personal data without any establishment in the European Economic Area. This is further explained in our white paper.
Since complaints have been filed by an alliance of organizations with multiple data protection authorities, it is likely that after France, Italy, and Greece, similar decisions will follow in Austria and the UK. Every data protection authority is allowed to fine companies a maximum of €20 million.
Clearview clearly interpreted the territorial scope of the GDPR incorrectly and has to face millions in fines. It is therefore recommended that non-EU companies ensure that they comply with the GDPR and carefully assess whether the territorial and material scope of the GDPR applies to the company’s business operations.
Is your company complying with the GDPR? Or do you have any questions about GDPR compliance? Contact us, experts in data privacy, to learn more about the GDPR via: firstname.lastname@example.org.