Selfie scraping Clearview AI hit with another €20M ban order in Europe

Clearview AI has been hit with another sanction for breaching European privacy rules.

The Athens-based Hellenic data protection authority has fined the controversial facial recognition firm €20 million and banned it from collecting and processing the personal data of people living in Greece. It has also ordered it to delete any data on Greek citizens that it has already collected.

Since late last year, national DPAs in the U.K., Italy and France have also issued similar decisions sanctioning Clearview — effectively freezing its ability to sell its services in their markets since any local customers would be putting themselves at risk of being fined.

The U.S.-based company gained notoriety for scraping selfies off the internet to build an algorithmic identity-matching commercial service aimed at law enforcement agencies and others, including private sector entities.

Last year, privacy regulators in Canada and Australia also concluded Clearview’s activities fall foul of local laws — in earlier blows to its ability to scale internationally.

More recently, in May, Clearview agreed to major restrictions on its services domestically, inside the U.S., in exchange for settling a 2020 lawsuit from the American Civil Liberties Union (ACLU), which had accused it of breaking state law in Illinois that bans the use of individuals’ biometric data without consent.

The European Union’s data protection framework, the General Data Protection Regulation (GDPR), sets a similarly high bar for legal use of biometric data to identify individuals — a standard that extends across the bloc, as well as to some non-member states (including the U.K.); so around 30 countries in all.

Under the GDPR, such a sensitive purpose for personal data (i.e., facial recognition for an ID-matching service) would — at a minimum — require explicit consent from the data subjects to process their biometric data.

Yet it’s clear that Clearview did not obtain consent from the billions of people (and likely millions of Europeans) whose selfies it surreptitiously took from social media platforms and other online sources to train facial recognition AIs, repurposing people’s data for a privacy-hostile purpose. So the growing string of GDPR sanctions stacking up against it in Europe is hardly surprising. And more penalties may follow.

In its 23-page decision, the Hellenic DPA said Clearview had breached the legality and transparency principles of the GDPR, finding violations of articles 5 (1)a, 6 and 9; as well as breaches of obligations under articles 12, 14, 15 and 27.

The Greek DPA’s decision follows a May 2021 complaint made by local human rights advocacy group, Homo Digitalis, which has trumpeted the win in a press release — saying the €20 million penalty sends a “strong signal against intrusive business models of companies that seek to make money through the illegal processing of personal data.”

The advocacy organization also suggested the fine sends “a clear message to law enforcement authorities working with companies of this kind that such practices are illegal and grossly violate the rights of data subjects.” (In an even clearer message last year, Sweden’s DPA fined the local police authority €250,000 for unlawful use of Clearview it said breached the country’s Criminal Data Act.)