€20 million fine for Clearview AI in Greece
The Greek data protection authority has fined the company Clearview AI €20 million. The company that sells facial recognition software to law enforcement agencies in the U.S. is no longer allowed to process biometric data on individuals in Greece and must delete all existing data.
Complaints in five countries. An alliance of organizations, including noyb, Privacy International (PI), Hermes Center, and Homo Digitalis, filed a series of complaints against Clearview AI Inc. in May 2021. The company claims to have "the largest known database of more than 10 billion facial images" and is aiming to reach 100 billion within the next year to make almost every person worldwide identifiable. The images for this come from social media accounts and other online sources. Complaints have been filed with data protection authorities in France, Austria, Italy, Greece and the United Kingdom.
Clear ban. The ruling is clear: the GDPR is applicable because Clearview AI uses its software to monitor the behavior of people in Greece, even though the company is based in the U.S. and does not offer its services in Greece or the EU. The data processing had no legal basis and there is a lack of transparency concerning the processing operations. Collecting images for a biometric search engine is illegal. Not only would Clearview now have to delete all hitherto collected images of Greek citizens, but also the biometric information that is needed to search for a specific face. The Greek authority also ordered Clearview to appoint a representative in the EU, to enable EU citizens to exercise their rights more easily and so regulators have a contact person in the EU.
Things are getting tight for Clearview. This decision follows the decision by the French authority on Clearview in December 2021, as well as the decision by the Italian DPA: also here, the authority prohibited the collection and processing of data in Italy. We expect a similar decision in Austria soon.