Hellenic DPA fines Clearview AI 20 million euros

20 July 2022

Background information

  • Date of final decision: 13 July 2022
  • Cross-border case or national case: National case    
  • Controller: Clearview AI Inc.
  • Legal Reference: GDPR: Article 3: Territorial scope. Article 5(1)(a) and (2): Principles relating to processing of personal data. Article 6 (1)(a)(b)(c)(d)(e)(f): Lawfulness of processing. Article 9(1) and 9(2)(e): Processing of special categories of personal data. Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject. Article 14: Information to be provided where personal data have not been obtained from the data subject. Article 15: Right of access by the data subject. Article 17: Representatives of controllers not established in the Union.
  • Decision: Infringement of the GDPR, Administrative fine.
  • Key words: Web scraping, Images Database, Facial Recognition, Biometric Data, AI systems, Geolocation, Jurisdiction under EU law, Representative in the EU.

 

Summary of the Decision

 
Origin of the case:

The Authority examined a complaint against Clearview AI Inc, lodged by the civil non-profit organization “Homo Digitalis” on behalf of a complainant, who claimed that s/he was not satisfied in relation to the right of access s/he exercised before the aforementioned company. With the complaint at issue it was also requested that the practices of the defendant company be examined on the whole from the point of view of the protection of personal data.

 
Key Findings:

The Authority found that the company, which markets facial recognition services, violated the principles of lawfulness and transparency (art. 5 paragraphs 1(a) and (2), 6, 9 GDPR) and its obligations under Articles 12, 14, 15 and 27 of the GDPR.

 
Decision:

The Hellenic DPA imposed a fine of twenty million euros (20,000,000) οn Clearview AI Inc for violating the principles of lawfulness and transparency.

In addition, the Authority ordered the company to comply so that it satisfies the complainant’s request for access to personal data, while imposing (on the same company) a prohibition on the collection and processing of personal data of subjects located in the Greek territory, using methods included in the facial recognition service. Finally, with this Decision, the Authority ordered Clearview AI Inc. to delete the personal data of those subjects located in Greece, which the defendant collects and processes using the aforementioned methods.

 

For further information: decision in national language

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.