Clearview AI, the U.S. face recognition company known for scraping the internet for unauthorized selfies to create a massive database of 30 billion images, has recently faced its largest GDPR penalties to date in Europe. The Dutch data protection authority, known as Autoriteit Persoonsgegevens (AP), fined Clearview AI €30.5 million, or $33.7 million at current exchange rates, for multiple GDPR violations. This penalty exceeds fines imposed by France, Italy, Greece, and the U.K. in 2022.

The AP’s investigation into Clearview AI began in March 2023 after receiving complaints from three individuals regarding the company’s unauthorized collection of data. Under the GDPR, EU citizens have the right to access and request deletion of their personal information. Clearview AI has consistently ignored these requests, leading to the substantial fine imposed by the Dutch regulator.

Clearview AI has been sanctioned for illegally collecting biometric data to build its database, as well as for transparency issues related to GDPR compliance. The AP emphasized that Clearview should never have compiled a database of photos, unique biometric codes, and other associated information, particularly when it comes to face-derived biometric data, which is akin to fingerprints. Collecting and using such data is illegal under the GDPR, and Clearview cannot claim exceptions to this prohibition.

The company also failed to notify individuals about the collection and use of their personal data, as required by law. Lisa Linden of Resilere Partners, Clearview’s PR company, did not respond to inquiries but provided a statement from Clearview’s chief legal officer, Jack Mulcaire, claiming that the company does not have a physical presence or customers in the Netherlands or the EU, and therefore should not be subject to GDPR enforcement.

However, the Dutch regulator asserts that Clearview is indeed bound by the GDPR, as it processes data of EU citizens regardless of its physical location. Clearview’s refusal to comply with GDPR regulations has raised concerns about the company’s operational practices and its potential impact on individuals’ privacy rights.

In an effort to hold Clearview AI accountable and prevent further violations, the Dutch AP is exploring the possibility of imposing personal liability on corporate executives. The agency is considering whether directors could be directly responsible for GDPR infringements and face penalties for failing to prevent such violations.

Aleid Wolfsen, chairman of the AP, stated that corporate leadership should be held accountable if they are aware of GDPR violations within their organization but fail to take action to rectify them. This approach aims to ensure that companies like Clearview AI cannot continue to disregard European privacy laws with impunity.

The AP’s investigation into Clearview AI highlights the need for robust enforcement of data protection regulations to safeguard individuals’ rights and hold companies accountable for their actions. By considering measures to hold corporate executives personally accountable for GDPR violations, regulators aim to promote greater compliance with privacy laws and deter future infractions.

The case of Clearview AI serves as a reminder of the importance of upholding data protection standards and ensuring that companies adhere to legal requirements when processing personal information. As discussions continue on how to address violations by companies operating outside the EU, the potential imposition of personal liability on corporate leaders may serve as a deterrent against future misconduct.

In light of recent developments and the growing emphasis on data privacy, it is imperative that companies abide by regulations such as the GDPR to protect individual rights and maintain trust in the digital economy. The actions taken by the Dutch AP against Clearview AI underscore the importance of holding organizations accountable for their data practices and reaffirming the principles of privacy and transparency in the digital age.