Another European privacy watchdog has sanctioned the controversial facial recognition firm, Clearview AI, which scrapes selfies off the Internet to amass a databased of some 10 billion of faces to power an identity-matching service it sells to law enforcement.
Italy’s data protection agency today announced a €20 million penalty for breaches of EU law — as well as ordering the controversial company to delete any data on Italians it holds and banning it from any further processing of citizens’ facial biometrics.
Its investigation was instigated following “complaints and reports“, it said, noting that as well as breaches of privacy law it found the company had been tracking Italian citizens and people located in Italy.
“The findings revealed that the personal data held by the company, including biometric and geolocation data, are processed illegally, without an adequate legal basis, which certainly cannot be the legitimate interest of the American company,” the Garante said in a press release.
Other General Data Protection Regulation (GDPR) breaches it identified included transparency obligations (on account of Clearview not having adequately informed users of what it was doing with their selfies); violations of purpose limitation and having used user data for purposes other than those for which they were published online; and also breaches of data retention rules with no limit on storage.
“Clearview AI’s activity therefore violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against,” the authority also said.
Clearview was contacted for comment on the latest GDPR sanction. Update: In a statement attributed to CEO, Hoan Ton-That, Clearview said:
Clearview AI does not have a place of business in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.
In further remarks Ton-That claimed:
We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in Italy, where we do no business, of Clearview AI’s technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives.
It’s the strongest enforcement yet from a European privacy watchdog, with the UK’s ICO warning back in November of a possible fine when it also ordered Clearview to stop processing data.
In December France’s CNIL also ordered Clearview to cease processing citizens’ data and gave it two months to delete any data it held but did not mention a financial sanction.
However, whether Italy will be able to collect the €20M penalty from Clearview, a US-based entity, is one rather salient question.
“The decision was notified to the company yesterday, and the company will have to inform the Authority as to the steps it is undertaking in order to comply with the decision or else to challenge it — including applicability of the GDPR and the relevant measures,” a spokesman for the DPA told us.
In a press release announcing the sanction the Garante also noted that it has ordered Clearvew to designate a representative in the EU “in order to facilitate exercise of data subject rights” — another legal requirement under EU law which it found the company had not fulfilled. But the lack of an EU-based Clearview entity makes it a lot harder for Italy to collect a fine.
While the EU’s GDPR does — on paper — have extraterritorial reach, meaning it applies outside bloc to anyone processing EU people’s data, enforcing against foreign entities that don’t have any local establishments or executives to serve sanctions on can make for hard practical limits on the law’s reach.
That said, DPAs can always go after any local entities foolish enough to become customers of the sanctioned entity — as Sweden’s watchdog did last year, fining a local police force for what it said was unlawful use of Clearview’s facial recognition software.
So each prohibition Clearview racks up in an EU market shrinks its potential customer base. Certainly on the public sector side — and law enforcement remains a primary target for its ID-matching tech. (Although a recent report in the The Washington Post suggests it has been pitching investors on a massive expansion of its business which could include selling ID-matching services to the private sector, such as by targeting financial services or gig economy platforms.)
Despite reportedly bullish talk to its own investors of international expansion, the controversial facial recognition company has been hit with privacy sanctions around the world — from Canada to Australia.
So limits on Clearview’s ability to scale internationally keep expanding, even as (some) US-based law enforcement agencies continue to tap in. Elsewhere in the US, some states have passed legislation limiting the use of biometrics which means that even on home soil Clearview is facing legal challenges to scaling use of its anti-privacy technology.
This report was updated with additional comment