The U.S.-based company Clearview AI (hereafter Clearview) known for its facial recognition services received a fine of €20.000.000 by the Greek Data Protection Authority for the non-compliant collection and processing of personal data. This is the first time that the Hellenic DPA has imposed such a high data protection fine. Clearview develops facial recognition software collecting facial images from public online sources. The collection of so many photos creates an oasis of images, which are sold to private companies and law enforcement agencies. More information on the services offered by Clearview and on fines imposed by other DPAs can be found here.

Background of the case

The complaint, which led to the decision of the Authority, was lodged by the non-profit civil organization ‚Homo Digitalis‘ on behalf of the complainant in May 2021. The complainant exercised the right of access to the company as described in Art. 15 GDPR, but according to her allegation, her right was not fulfilled. In addition, the practices of the accused company were requested to be examined with regard to personal data and compliance with data protection law.

The Decision

According to the 35/2022 decision of the Greek Data Protection Authority, Clearview AI received a €20.000.000 fine for non-compliance with the principles of lawfulness and transparency and with the requirements under Art. 12, 14, 15 and 27 of the GDPR. Furthermore, the Authority imposed an order on fulfilling the right of access of the complainant, imposed a prohibition on the collection and processing of personal data of subjects located in the Greek territory and required the immediate deletion of any data already collected of data subjects located in Greece through the company’s facial recognition services (Art. 58 para. 2 lit. g).

Clearview creates “profiles” of individuals

Clearview collects photos of individuals from different public sources (blogs, social media, etc). Specifically, the company may extract information from these photos such as metadata or routines, habits and preferences of individuals, and information derived from their facial appearance, that allows the evaluation and potentially the identification of the person’s behavior. As a result, this automated processing of personal data leads to the creation of profiles of individuals. The data gathered is then marketed through Clearview’s database and users of the Clearview facial recognition platform can search and identify respective individuals. Furthermore, users of Clearview’s platform have the possibility to search the database by uploading an image of the individual they wish to identify. In fact, the database is constantly updated, determining the evolution of the information relating to a specific individual. However, the defendant denied these statements and refused the monitoring of people through their images due to the fact that there is a preview of images and not a systematic monitoring of each individual.

The reasoning behind the decision

Violation of GDPR principles:

The Hellenic DPA found out that in this particular case the company systematically violated the principles of lawfulness and transparency (Articles 5(1)(a), 6, 9 of the GDPR).

Principle of lawfulness of processing

As the Authority pointed out there is no legal basis for processing personal data as provided for in Article 6 of the GDPR. Moreover, none of the exceptions in relation to special categories of data listed in Article 9 of the GDPR are met. The data processed by Clearview belong to the category of biometric data, which are considered a special category of data that can only be processed under certain exceptions. Therefore, the processing of personal data is unlawful.

Principle of transparency of processing

According to the Authority, there is a breach of the principle of transparency (Article 5(1)(a) of the GDPR) and the related right to information of the data subjects (Article 14 of the GDPR), because the defendant failed to inform the data subjects whose data it processes accurately and clearly about the collection and use of their personal data.

Violation of data subject rights:

The Authority found that the company, violated its obligations under Articles 12, 14, and 15 of the GDPR. Subsequently, it was held that the data subjects whose data are processed by the defendant do not receive any information from the latter, through its privacy policy, in relation to any of the data provided for in Article 14 of the GDPR, neither before nor even after the processing. In fact, the data subjects are likely to never know that their data were processed by the defendant.

Similarly, although the complainant exercised her right of access to her personal data under Article 15 of the GDPR by sending an e-mail to the defendant, she never received any reply to it and her right of access was never met.

Violation of the obligation to appoint a representative:

The Authority noted that the company violated its obligations under Article 27 of the GDPR. However, the defendant argued that they are not regulated by the GDPR, they don’t have an establishment in the EU and they do not offer goods or services to people residing in the EU nor monitor their behavior (Art. 3 GDPR). Additionally, the company argued that their services are merely offered to law enforcement agencies outside EU.

Clearview’s use of profiling techniques constitutes an act of targeting data subjects residing in the EU. In this regard, it was initially found that Clearview falls within the scope of the GDPR, under Article 3 para. 2(b) without having an establishment in the EU. Therefore, it has an obligation to designate a representative in the EU in accordance with Article 27 of the GDPR, which it has not fulfilled.