Artificial Intelligence & Machine Learning
,
General Data Protection Regulation (GDPR)
,
Governance & Risk Management
5th Nation to Investigate Software Firm Imposes Largest GDPR Penalty, Bans Use
The Dutch data regulator is the latest agency to fine artificial intelligence company Clearview AI over its facial data harvesting and other privacy violations of GDPR rules, joining regulatory agencies in France, Italy, Greece and the United Kingdom. The fine of 30.5 million euros is the largest to date.
See Also: InfoSec: Applying AI to Third-Party Risk Management to Achieve Consistency
Clearview AI, a New York-based company that offers facial recognition software to law enforcement agencies, relies on its “automated image scraper” to search and collect images containing faces from the web. Its data repository is estimated to contain 30 billion photos of people and fingerprint details, which are used to create unique biometric codes for authorities to track individuals.
The Dutch Data Protection Authority, which launched an investigation into Clearview AI, found the company failed to adequately inform individuals about the use of their data in the datasets. Collecting and using biometric information is prohibited in the Netherlands.
“Clearview has seriously violated the privacy law General Data Protection Regulation on several points: The company should never have built the database and is insufficiently transparent,” according to the Dutch Data Protection Authority order.
The Dutch regulator has ordered Clearview to suspend its operation in the country, and any noncompliance could result in the company being slapped with an additional 5.1 million euros in fines.
“Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organizations that use Clearview may therefore expect hefty fines from the Dutch DPA,” said Aleid Wolfsen, chairman of the Dutch Data Protection Authority.
The Dutch regulator said Clearview AI did not appeal the fine.
The company did not immediately respond to a request for comment from Information Security Media Group. It previously said its data-scraping tools are permitted because they are only used for law enforcement purposes. The company’s data processing has been determined to be noncompliant under the EU Law Enforcement Directive, resulting in other European regulators fining the company.
The U.K. Information Commissioner’s Office in 2022 imposed a penalty of 7.5 million pounds against Clearview AI for using unlawfully obtained facial images of British citizens.
The French, Italian and Greek data regulators each imposed fines of 20 million euros on the company in 2022. Regulators in France ordered the company not to collect and process data on individuals located in the country.
The newly enforced European Union AI Act outlaws AI-based social scoring and the scraping of CCTV footage to create facial recognition databases. Any violations could cost companies up to 35 million euros.