Decision by the Austrian SA against Clearview AI Infringements of Articles 5, 6, 9, 27 GDPR

12 May 2023

Background information

  • Date of decision: 10 May 2023 
  • Cross-border case or national case: National case
  • Controller: Clearview AI
  • Legal references: Article 5, Article 6, Article 9, Article 27 GDPR
  • Decision: Infringement of the GDPR, Order to erase complainant’s data, Order to name an Article 27 representative
  • Key words: Facial recognition; biometric data 

 

Summary of the Decision

 

Origin of the case

Following a complaint the Austrian SA (DSB) issued a decision against the facial recognition company Clearview AI on the 10th of May 2023.

The company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources (media outlets, social media, online videos) via web scraping. It offers a sophisticated search service which allows, through AI systems, creating profiles on the basis of the biometric data extracted from the images. The profiles can be enriched by information linked to those images such as image tags and geolocation or the source web pages.

Due to a request for access, the complainant found out that his image data is also processed by Clearview AI. Thereupon he lodged a complaint with the Austrian SA.

 

Key Findings

The DSB found that Clearview AI infringed the following provisions of the GDPR: 

Article 5(1)(a): The processing of the complainant's personal data lacked lawfulness, fairness and transparency.

Article 5(1)(b): The processing carried out by Clearview AI serves a completely different purpose from the original publication of the complainant's personal data (especially photographs).

Article 5(1)(c): The permanent storage of personal data also constitutes a breach of data minimisation principle.

Article 9(1): The scanning of the complainant's face, the extraction of his uniquely identifying facial features and the translation of these features into vectors constitutes processing of special categories of personal data. An exception to the processing prohibition pursuant to Article 9(2) does not apply in this case, which is why the processing was carried out in violation of Article 9(1) GDPR.

To the extent that the complainant's personal data did not constitute special categories of personal data and thus Art. 9 GDPR did not apply, the processing would be unlawful:

Article 6(1): of Clearview AIcould only have been covered by Article 6(1)(f) GDPR. After an extensive weighing of interests, the DSB came to the conclusion that, due to the serious intrusion into his privacy, the interests of the complainant clearly outweighed the purely commercial interests of Clearview AI.

Decision

The Austrian SA found that Clearview AI infringed the above provisions of the GDPR.

Clearview AI was ordered to erase the complainant’s personal data and to designate a representative within the European Union.

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.