The Italian data protection authority (the "Garante") has sanctioned facial recognition firm Clearview AI to the tune of €20 million for breaches of EU law. The supervisory authority published its decision on the 9th of March 2022, the decision having been originally issued earlier this year in February. The main impetus of the sanction was that the US-based firm was found to be processing data (including geolocation and biometric data) illegally without relying on an adequate legal basis. 

Other General Data Protection Act ("GDPR") breaches identified included:

  • Articles 5(1)(a), 5(1)(b), and 5(1)(e) of the GDPR: Clearview AI had not adequately informed the owners of the photos being used for facial recognition what they were being used for, had processed data subject's data for purposes other than they had stipulated, and had violated the storage limitation principle by keeping data indefinitely;  
  • Article 6 of the GDPR: the Garante considered that the legitimate interest basis for such processing did not outweigh the rights and freedoms of data subjects, especially due to the intrusive nature of the processing; 
  • Article 9 of the GDPR: the processing of biometric data carried out by Clearview AI did not qualify for any of the exceptions to processing sensitive data;
  • Article 12 of the GDPR: the responses received by complainants to Clearview AI were deemed inadequate and unjustifiably delayed, and Clearview AI was found to be making excessive requests of the complainants to verify their identities;
  • Articles 13 and 14 of the GDPR; Clearview AI's online privacy policy lacked a specific indication of the legitimate interest basis for processing and did not set out any data retention periods; 
  • Article 15 of the GDPR; when it was requested of Clearview AI, complainants did not receive a precise and transparent list of categories of information processed by the company; and
  • Article 27 of the GDPR; Clearview AI had failed to nominate a representative in the EU.

The Garante's investigation into Clearview AI was instigated following "complaints [from Italian citizens] and reports", namely that Clearview AI was being used by police forces in 24 countries outside the US to run searches for suspects (you can see the full report here). Clearview AI operates by "scraping" people's images (think selfies!) from the Internet which the firm has used, Clearview AI claims, to create a database of over 10 billion faces that it uses to power an identity-matching service it sells to law enforcement.

As well as the €20 million fine, the Garante ordered the controversial company to delete any data on Italian citizens it holds and banned it from carrying out any further processing of Italian citizens’ facial biometrics.

Clearview AI CEO Hoan Ton-That maintained that as Clearview AI "does not have a place of business in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.", and therefore, the fine should not apply. However, as Clearview AI was processing the data of Italian data subjects, the processing is caught by the extra-territorial reach of the GDPR. 

Conclusion

The decision will come as no surprise to followers of the Garante's decisions; the supervisory authority is famously firm when it comes to the use of facial recognition technology. In April of last year, the Garante blocked the deployment of a real-time facial recognition system, Sari Real Time, meant to assist law enforcement with their search for wanted individuals, citing privacy concerns that the tool in its current form would constitute an “indiscriminate mass surveillance system.” 

This is also not the first time skies have been stormy for Clearview AI in Europe. Further warnings to stop processing the data of particular data subjects and delete them from its databases have followed from the French supervisory authority, the CNIL, and the UK supervisory authority, the ICO. The ICO also announced its intent to fine the controversial company £17 million in November 2021 and has now confirmed a £7.5 million fine (check back for more on that decision in the coming days).

Back across the pond, Clearview AI was shown the door in Canada early last year, with the country's privacy watchdog ruling Clearview AI's facial recognition services violated Canadian privacy law and ordering Clearview AI to delete all Canadian data subjects from its databases. Even on its home soil of the US, Clearview is facing challenges due to existing and new biometric legislation. With all these sanctions and challenges it will be interesting to see what Clearview AI does next.