When Italy’s data protection watchdog slapped a €20 million fine on facial recognition company Clearview AI earlier this month, it was just the latest move by European authorities against the controversial start-up.
The U.S.-based facial recognition company amassed millions of images, scraped from various sources online, and sells its technology to authorities to identify suspects in crimes. It is reportedly aiming to reach 100 billion images, giving it a sprawling database for customers to draw from.
This attracted some attention from lawmakers in the U.S. But over the last year, Clearview faced growing, harsher scrutiny in Europe over its database.
Garante per la Protezione dei Dati Personali (GPDP), the Italian digital authority, took umbrage with the company’s scraping of personal biometric data like facial images, which included those of Italians. The authority said this was in violation of GDPR, the EU’s data protection law, and ordered the company to cease collecting this data and to delete the database.
The year-long investigation concluded that the company had been collecting data without informing the people in question and had not stated how long it was storing this data.
Other European nations have levied a slew of similar complaints and fines against Clearview.
French authorities issued a similar order to Clearview last December, directing it to delete French faces from its database, while the United Kingdom, which is now outside of the EU, imposed its own fine of £17 million.
The company’s practices raised the ire of digital rights and privacy activists, who want greater action taken by regulators.
Since coming into force in 2018, Europe’s GDPR created a strict rulebook for companies collecting and processing data, with people having stronger rights to provide consent to having their data collected and better ability to request that data be deleted.
National authorities have the power to investigate breaches of GDPR within their own jurisdiction or cross-border cases that encompass multiple countries. Violations can lead to fines, with the largest to date being a €746 million sanction on Amazon.
While states like California have passed GDPR-inspired laws of their own, the U.S. has no federal privacy law.
Privacy International, a non-profit, is one of the organizations that led the charge against Clearview in Europe.
In tandem with partner organizations in several countries last year, it filed a series of complaints with authorities—including the French, Italian and British filings—pushing a coordinated effort to fight Clearview’s surveillance arm. Investigations in Austria and Greece are pending.
Separately, authorities in Germany and Sweden have taken their own action.
“We are seeking a total ban on its activities and those of any similar companies. The essence of their business model relies on expanding the realm of surveillance to creep into every [part] of people’s lives, both online and offline,” Lucie Audibert, legal officer at Privacy International, said to the Daily Dot. “No change short of entirely ceasing their indiscriminate data scraping can make their business acceptable.”
Clearview has pushed back on the complaints and rulings and challenged the jurisdiction of European authorities to investigate the company.
“Clearview AI does not have a place of business in the EU, it does not have any customers in the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” chief executive Hoan Ton-That told the Daily Dot in a statement.
He reiterated that Clearview only collects publicly available data and provides its tech to law enforcement for the purpose of catching criminals, though that was not always the case in the company’s early days.
“I am heartbroken by the misinterpretation by some in the EU, where we do no business, of Clearview AI’s technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives,” he said.
Alan Dahi, a data protection lawyer at Noyb, an Austrian non-profit that also filed complaints, argued that Clearview still falls within the remit of EU law.
“It’s a common misconception amongst some entities out there. They think if they are sitting abroad and they don’t have any customers in Europe, then the GDPR doesn’t apply to them but in fact the GDPR has a provision which opens up applicability,” he said.
This refers to provisions in the law for restricting the monitoring of the behavior of people that takes place within the European Union. The GDPR protects a person’s behavior from being monitored. Dahi argues that this extends to photos scraped from public sources like social media if that person did not provide consent. Many nations, in levying fines, agree.
But just how impactful the rulings in Europe will be remains to be seen as it is unclear how Clearview will respond to the rulings or if it will appeal.
CNIL, the French authority, handed down its ruling in December 2021 and gave the company two months to comply. A CNIL spokesperson declined to comment on its status to the Daily Dot.
The U.K. ruling from November 2021 is a preliminary one and gives the company a few months to make representations to the authority in response to the ruling. A final decision is expected in “mid-2022,” a spokesperson said.
The latest ruling from Italy is one of the firmest yet. On top of the €20 million fine, it demands that the company cease collecting data, delete images of Italians from its databases, and requires Clearview to establish a representative within the EU to liaise with authorities and individuals.
A series of multimillion-euro fines could be a massive financial hit to Clearview, which is reportedly valued at $130 million as of last year. The total of fines so far, from Italy and the U.K., is around $44 million.
“They also said that you have to stop processing all data that was collected and you cannot continue to collect any images of Italians and moreover all data that was already collected needs to be deleted. In a sense it is an outright ban on the business model of Clearview AI when it comes to Europe or Italy,” Dahi said.
Crucially the national-level investigations require the company to delete data on the citizens of that particular country—something that is easier said than done.
Privacy International’s Audibert said it is not practical for any company with such a large database of images globally to delete images from one country while keeping others.
“Clearview’s data scraping is by definition indiscriminate, and no technical adjustment can possibly allow it to filter out faces of people in certain countries.”
Audibert added that national investigations only go so far but a “critical mass” of rulings could push EU authorities, namely the European Data Protection Board, to make an EU-wide ruling.
But GDPR is not the only law that could catch Clearview in its grasp.
In the hallways of Brussels, several pieces of legislation are being thrashed out to rein in tech firms. Among them is the AI Act, a new wide-reaching regulation that seeks to regulate the use of artificial intelligence within the bloc.
Debates around the act are fraught as politicians, industry, and civil society compete over the various designations for AI use cases, such as facial recognition and its use by law enforcement.
Fanny Hidvégi, European policy director at Access Now, said the current proposals in the AI Act fall short.
“While the AI Act is an important opportunity, the proposal currently fails to prohibit uses of facial recognition, as a type of remote biometric identification, that violates fundamental rights,” Hidvégi said. “Without serious improvements, it would provide more of a blueprint for biometric mass surveillance practices than a legal limitation.”