The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, is the latest European regulator to crack down on American face-recognition firm Clearview AI, levying a €30.5 million (US$33.8 million) fine that is likely to grow to €35.5 million due to additional penalties for non-compliance.
Of potentially greater concern to US businesses considering violating the privacy of Dutch citizens is that the authority also said it was considering going after Clearview’s board of directors “personally.”
Clearview has run afoul of many regulators in Europe, with the Dutch action following investigations finding violations of the General Data Protection Regulation (GDPR) in France, Italy, Greece, Germany, Britain and Austria.
The Office of the Australian Information Commissioner (OAIC) in August opted to not fine Clearview, but its statements stressed that it believed that Clearview had violated Australian privacy rules. It said it chose not to pursue the company given the large number of other privacy investigations against it.
The Dutch authority issued a sternly worded statement on Tuesday aimed as much at other companies trying to leverage global data as at Clearview.
“Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,” said the authority’s chairman Aleid Wolfsen in a statement. “If there is a photo of you on the Internet — and doesn’t that apply to all of us? — then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China.”
Wolfsen also addressed Clearview’s services to law enforcement. “Clearview says that it provides services to intelligence and investigative services outside the European Union (EU) only. That is bad enough as it is. This really shouldn’t go any further. We have to draw a very clear line at incorrect use of this sort of technology,” he said.
He sees a major difference between law enforcement collecting such data as opposed to a private company doing the collection. He said such collection should “certainly not (be done) by a commercial business. And by competent authorities in highly exceptional cases only. The police, for example, have to manage the software and database themselves in that case, subject to strict conditions and under the watchful eye of the Dutch DPA and other supervisory authorities.”
Pursuing customers… and directors
The Dutch regulator also said that it would pursue actions against the company’s customers. “Clearview breaks the law, and this makes using the services of Clearview illegal. Dutch organizations that use Clearview may therefore expect hefty fines from the Dutch DPA.”
Frustrated by an apparent lack of cooperation from Clearview, Wolfsen said that the regulator is prepared to pursue legal actions against members of the company’s board of directors.
“Clearview is an American company without an establishment in Europe. Other data protection authorities have already fined Clearview at various earlier occasions, but the company does not seem to adapt its conduct. That is why the Dutch DPA is looking for ways to make sure that Clearview stops the violations. Among other things, by investigating if the directors of the company can be held personally responsible for the violations,” Wolfsen said. “Such (a) company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”
The regulator added that Clearview responded in a letter but did not explicitly dispute the findings. “Clearview has not objected to this decision and is therefore unable to appeal against the fine,” he said.
Images of children
Another factor at issue in the case is Clearview’s use of grabbing and leveraging images of children, the Dutch regulator said in the official document detailing the charges.
“From information on the Clearview website, it follows that they also offer the application of facial recognition software for identifying children. On their website, Clearview for instance states: ‘a federal agency’s child exploitation unit tripled the number of victims identified with Clearview AI.’”
“According to Clearview, the database contains 30 billion images and by now this number has in all likelihood grown. No measures have been taken to filter and bar images of Dutch data subjects nor their behavior in the Netherlands from the database,” the document said. “On the contrary, from the previous marginal number, it follows that Clearview’s crawler scrapes Dutch websites as well.”
Tim Peters, an officer of compliance firm Enghouse Systems in Canada, stressed that the large number of regulatory actions is what should grab the attention of enterprise CISOs.
Despite the belief that European authorities have little ability to enforce their fines and related penalties against overseas companies, Peters argues that a cumulative effect can make a difference.
“While many might assume this American company will simply ignore the fine, the real risk lies not in this specific penalty but in triggering a wave of regulatory scrutiny. When one regulator takes decisive action on sensitive issues like facial recognition and biometric data, it can often lead to a chain reaction across other jurisdictions,” Peters told CSO Online. “Regulators tend to collaborate and the GDPR framework in Europe is closely watched by other regions, meaning this company could face additional fines globally.”
“People should be considering the snowball effect here. If this company chooses to disregard the fine, other regulators could take note and follow suit with their own actions. Australia, for example, initially chose not to fine the company, but seeing the Dutch regulator’s stance might lead them to revisit that decision,” Peters said. “This could create a pile-on effect, where multiple countries impose penalties, leading to a significant reputational and financial hit.”