Clearview: Dutch data protection authority imposes fine in the millions
The Dutch Data Protection Authority has imposed a multi-million fine on the US facial data collector Clearview and warns against its use.
(Image: Gorodenkoff/Shutterstock.com)
The Dutch data protection supervisory authority "Autoriteit Persoonsgegevens" (AP) has imposed a fine of 20.5 million euros on Clearview. A further 5.1 million euros could be due if the company continues its infringements. The US company operates a database for which billions of images are searched and indexed on the internet. The company's business model is to enable third parties to search using comparative images. This service is offered worldwide to both public authorities and private individuals.
Clearview works in a similar way to PimEyes, which gained notoriety in Germany in the context of the discovery of RAF terrorist Daniela Klette. The federal government and some state governments would also like to allow such software for German authorities, and some police authorities would also like to have such tools. According to the data protection authorities, however, Clearview lacks any legal basis for processing images from the EU at all.
Anyone who nevertheless uses the service is also in breach of the law, emphasizes Dutch data protection officer Aleid Wolfsen. According to the chairman of the Autoriteit Persoonsgegevens, the ability to detect criminals is important and facial recognition can also contribute to this: "But certainly not by a commercial operator. And only in exceptional cases, even with the relevant authorities." Police authorities, for example, would have to use such software and databases themselves and under strict conditions and with data protection controls, says Wolfsen.
Clearview has kept data protectionists busy for years
The Clearview case has kept data protection authorities busy for years. Both the French data protection authority CNIL and its Italian, French and Greek counterparts have imposed fines of millions of euros on the company. As the US company has neither a registered office nor a branch within the scope of the GDPR, all supervisory authorities are responsible – each of them can therefore impose fines, but may only do so for data subjects in their own country of jurisdiction.
AP wants to make management liable
However, the fines from Europe seem to have been of little interest to Clearview so far. Dutch Data Protection Commissioner Aleid Wolfsen announced that his authority is therefore now also examining the extent to which it can hold the company's management personally liable for the legal violations: "It must not be the case that such companies permanently violate the rights of Europeans and get away with it." Whether personal liability is possible under data protection law is controversial in expert circles – it remains to be seen what enforcement in the USA might look like.
(anw)