Garante per la protezione dei dati personali (Italy) - 9751362

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9751362
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 27 GDPR
Type: Investigation
Outcome: Violation Found
Started: 09.03.2021
Decided: 10.02.2022
Published:
Fine: 20,000,000 EUR
Parties: Clearview A.I.
National Case Number/Name: 9751362
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: gauravpathak

The Italian DPA fined Clearview €20,000,000 for conducting facial recognition on public web sources in violation of Articles 5(1)(a), (b) and (e), 6, 9, 12, 13, 14, 15 and 27 GDPR, prohibits further processing, requires deletion of personal data already collected and the designation of a representative.

English Summary

Facts

Clearview A.I. Inc. (Clearview) is a company conducting facial recognition on public web sources and is the data controller. Four data subjects had sought information from Clearview under Article 15 GDPR. Clearview replied to three of them and provided “special reports” containing the results obtained through the Clearview software. In 2021, these data subjects complained to the Italian DPA (Garante per la protezione dei dati personali) regarding the processing of their personal data by Clearview, without their consent. In addition, two "organisations committed to defending the privacy and fundamental rights of individuals" submitted information about precedents in Germany and Sweden, and their reports on activities of Clearview to the DPA. Based on the press reports on the activities of Clearview and the complaints submitted to it, the DPA opened an investigation.

Before the DPA, Clearview submitted as follows:

The GDPR was not applicable and the DPA lacked jurisdiction as Clearview was not offering its services in Italy and had utilized technical measures to block Italian IP addresses from accessing services of Clearview. Clearview was not carrying out any monitoring activity as per Article 3(2)(b) GDPR, and its search results were akin to Google Search. Clearview did not have a list of Italian customers, and its privacy policy did not refer to GDPR. Clearview did not have a representative in the Union as mandated by Article 27 GDPR. Accordingly, the activities of Clearview were not covered by the GDPR.

Since 2019, law enforcement agencies in the United States (US) were using Clearview, “especially in the context of child pornography investigations”. This generated international interest and several European government agencies signed up for a test account for a short time.

In March 2020, following complaints by regulators in European Union (EU), these test accounts, which were very few, were closed.

Clearview does not have any customers in the EU, and it ensures the same through “specific setting that prevents access to the software via European IP addresses.”

Clearview’s technology is used by law enforcement agencies and assists them in identifying criminals. As per Clearview’s terms, it is the responsibility of its customers to “verify that the use of this product is legitimate in light of the local regulations applicable to it.”

Clearview contractually requires its users to conduct further investigations and independently corroborate information collected using Clearview.

Clearview is based in the US and has no branch in the EU. It neither offers its services in the EU nor monitors behaviour.

Clearview did expand to Canada but ceased all its activities in Canada following the proceedings initiated by the Canadian Privacy Commissioners. This expansion cannot be considered to demonstrate its intention of entering the Italian market.

Journalistic sources cannot be relied upon as they are speculative.

The Swedish decision was concerning the above test accounts that existed for a short period and were available to Swedish police forces.

Clearview did not conduct any behavioural analysis or use any profiling techniques. Collection of data, even of significant volume, does not automatically constitute profiling.

The Data Controller is Clearview’s customer (i.e. police forces) and not Clearview itself, and this was held by the Swedish authority.

Clearview “does not collect or provide any information about the location, browser history, business activity or behaviour of the natural person who appears as a search result and does not imply any behavioural, predictive or analytical modeling. The information that can be obtained about an individual using Clearview's search engine is less meaningful than the information that can be obtained from a Google Search based on that individual's name, and no one is claiming that a Google browser search constitutes behavioral monitoring.”

Clearview is compliant with US law and it is impossible to take into account all existing laws in a globalized world. “Moreover, since Google's search engine is presumed to comply with European laws because Google is established in the EU and offers its services to users in the EU, if the Regulation were also found to apply to Clearview, the processing of the complainant's data should be considered lawful”.

Clearview voluntarily complies with requests for access from European residents, even though it is not bound to do so.

Holding

The DPA determined as follows:

Clearview “not only collects images to make them accessible to its customers, but also processes the collected images by web scraping, through a proprietary facial matching algorithm, in order to provide a highly qualified biometric search service.” As per its website, the free service is not available to the public but only to certain category of customers (i.e. police forces). Therefore, “the platform offered by Clearview assumes peculiar characteristics that differentiate it from a common search engine that does not process or enrich images present on the network. In particular, Clearview does not work on cache memory, but creates a database of snapshots of images that are stored as present at the time of collection and not updated. Moreover, as mentioned above, Clearview processes these images with biometric techniques, hashes them and associates them with any available metadata”. Thus, its services are not like those being offered by Google.

Clearview is the data controller as it “uses its own means to collect images and subsequently transform them into biometric data, and has a proprietary database in which the information is stored and extracted as a result of the search performed by the user. The purpose pursued by Clearview is therefore that of making available, in return for a fee, information such as images and metadata, useful to customers for the pursuit of different and additional purposes.”

The DPA has jurisdiction and GDPR is applicable to Clearview as it once did offer its services to European users. Moreover, Clearview’s activities, as revealed from its patent application filed in the US constitute “monitoring of behaviour”. In addition, Clearview’s website states, “the data collected include not only photographs available to the public and available on the Internet, but also information that can be extracted from those photographs, such as the geolocation metadata that they may contain, as well as information derived from the analysis of the faces of the persons depicted and which, as such, constitute biometric data on the basis of which the comparison process is carried out.” Accordingly, Article 3(2) GDPR is applicable. Moreover, the issue of DPA’s jurisdiction and powers qua Clearview has also been decided by CNIL in a different matter.

The photographic image of a person, as long as the person is identified or identifiable, constitutes personal data. The fact that the photographs were already available on the internet “is not sufficient to consider that data subjects can reasonably expect them to be used for facial recognition purposes, moreover by a private platform, not established in the EU and of whose existence and activity most data subjects are unaware.” Web Scraping activities are almost always prohibited by social media platforms and press reports have shown that “Twitter, Youtube, LinkedIn have sent Clearview a cease and desist letter to stop collecting data that can be used to identify a person.”

Clearview not only collected personal data but through further processing converted a photograph into biometric data.

Clearview did not comply with Article 5(1)(a) GDPR “which requires compliance with the principles of lawfulness, fairness and transparency in the processing of data with regard to the data subject”.

Clearview violated Article 5(1)(b) GDPR which “provides for compliance with the principle of purpose limitation.”

Clearview violated Article 5(1)(e) GDPR which “provides for compliance with the principle of storage limitation.” This was because there was “no indication of any retention period either from the analysis of Clearview's privacy policy, or from the feedback received from the Company, which was incomplete on this point, or from the information contained in the complaints submitted by the interested parties.”

Clearview did not have any valid basis under Article 6 GDPR for the processing of personal data. It’s claimed legitimate economic interest “cannot but be at odds with the rights and freedoms of the persons concerned, and in particular with the serious threat to the right to privacy, the prohibition of automated processing and the principle of non-discrimination inherent in the processing of personal data such as that carried out by the Company.”

Clearview violated Article 9 GDPR due to its “processing of special categories of data (with reference to biometric data).”

Clearview violated Articles 12, 13, 14 and 15 GDPR as the data subjects “had to repeat their requests for access several times before receiving a reply from Clearview, despite the fact that the contact channels indicated on the company's website (online form and e-mail address dedicated to privacy requests) had been used.” Moreover, “Clearview, in order to process requests for access, has asked the interested parties to provide identification, such as an identity document, which is excessive in relation to the objective pursued” as there were no “reasonable doubts” as to the identity of the data subjects. Clearview did not provide timely, complete, up to date, “precise and transparent communication” to the data subjects.

Clearview breached Article 27 GDPR by not having its representative in the territory of the EU.

There were no grounds to determine a violation of Article 22 GDPR as Clearview had “not provided any specific evidence in this regard, and no technical system elements are currently available that could corroborate the thesis of the existence of automated processing.”

Clearview’s violations were considered to be serious as they were akin to mass surveillance. They were not isolated events and continued even after “service was no longer offered to customers established in the European Union.” Thus, the DPA directed Clearview to do the following:

1) Prohibit (any further) processing of: i) collection, by means of web scraping techniques, of images and related metadata of data subjects on Italian territory; ii) common and biometric data processed through its facial recognition system of data subjects on Italian territory.

2) Delete the “aforementioned data, without prejudice to the obligation to provide timely feedback to requests to exercise the rights” given under Articles 15-22 GDPR, “which may have been received in the meantime from interested parties. In the latter cases, in order to facilitate the exercise of rights by the data subjects, the response must be provided in accordance with the timeframe and procedures set out” in Article 12(3) GDPR.

3) Designate within thirty days “a representative in the Italian territory to act as interlocutor, in addition to or instead of the data controller, with the interested parties in order to facilitate the exercise of their rights.”

4) Provide “adequately documented feedback, within thirty days of notification of this measure, of the initiatives taken to implement the above order” and “measures put in place to facilitate the exercise of the rights of the persons concerned.”

5) Pay a cumulative sum of €20,000,000 for violating Articles 5(1)(a), (b) and (e), 6, 9, 12, 13, 14, 15 and 27 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

During 2021, the Office received four complaints lodged against Clearview. At
Specifically:
- 24 February 2021 by Mr XX (file no. XX);
- on 22 March 2021 by Mr XX (file no. XX);
- 1 June 2021 by Mr XX (File No XX);
- on 22 July 2021 by Mr XX, who complained about the lack of response to his requests for access to data
access to data under Article 15 of the GDPR, also following two reminders on 25 May and 18 June 2021 (file no. XX).
18 June 2021 (file no XX).
The complainants XX, XX and XX pointed to the circumstance that the processing of their data had
The complainants XX, XX and XX pointed out that their data had been processed without their consent.
The complainants XX, XX and XX reported that Clearview had asked them to send a copy of a personal identity document in order to comply with their requests for access.
From the documentation accompanying the complaints, the Office found that Clearview had responded to the complainants' access requests.
from the documentation accompanying the complaints, the Office found that Clearview responded to the access requests of complainants XX, XX and XX by means of reports containing the results of the search generated by the software.
reports containing the results of the search generated by the software. In particular, it emerged that
- with reference to Mr XX, the Company has three images in its databases which are indexed
through the following URLs:
https://..;
https://..;
https://...
- with reference to Mr XX, the Company has 13 images in its databases indexed by the following URLs
through the following URLs:
https://...
https://...
https://...
https://...
http://...
https://...
https://...
https://...
https://...
https://...
https://...
https://...
https://...
- With reference to Mr. XX, the Company has in its database 9 images indexed
through the following URLs:
http://...
https://...
https://...
https://...
https://...
https://...
https://...
https://...
http://...
The Authority also received two complaints from two organisations committed to the defence of privacy and fundamental rights.
defence of privacy and people's fundamental rights.
In a note dated 19 February 2021, the association XX, in addition to pointing out the precedents of the Swedish and German
the Swedish and German authorities' precedents, drew the Authority's attention to a number of critical issues concerning the legal basis of the processing carried out by Clear
the legal basis of the processing carried out by Clearview, as well as with regard to the procedures
procedures adopted by the company with regard to the right of access (file No XX).
On 7 September 2021, the same association sent a further report with which it requested
On 7 September 2021, the same association sent a further report asking the Office to investigate the use of Clearview's services by the State Police.
On 25 May 2021, the XX organisation informed the Office of criticalities concerning the treatment
Clearview's processing of data, in particular with regard to the legal basis, compliance with the general
general principles of data protection and the risks to the fundamental rights and freedoms of the data subjects arising from the use of the product.
freedoms of data subjects arising from the use of Clearview's product by law enforcement authorities (file
law enforcement authorities (Case No XX).
2. INVESTIGATIVE ACTIVITY
By note of 25 March 2021 (prot. of the Guarantor no. 16155/2021), in response to the Authority's request for
the Authority's request for information of 9 March 2021, the Company maintained that the
Regulation and therefore the lack of jurisdiction of the Italian Guarantor. In particular, it declared
i) that it does not offer products and services in Italy because it has adopted technical measures aimed at blocking
any attempt to access the platform by Italian IP addresses and ii) that it does not carry out any monitoring pursuant to
monitoring within the meaning of Article 3(2)(b) of the Regulation because the concept of monitoring
monitoring implies a continuous and persistent observation where Clearview AI's only product is a search application.
AI is an image search application that provides search results with links to third party websites.
third-party websites. This technology, therefore, according to the Company, would not track or
track people over time, but would result in a snapshot of the search results at the time of the search
search results at the time of their completion, comparable to the search operations carried out by
Google Search. The Company reported that it does not have any Italian customer lists, that it has not included any reference to the
The Company reported that it does not have any Italian customer lists, that it has not made any reference to the Regulation in its privacy policy and that it has not appointed a
The Company reported that it did not keep any list of Italian clients, that it had not included any reference to the Regulation in its privacy policy and that it had not appointed a representative pursuant to Article 27, as this provision, like the rest of the Regulation
this rule, like the rest of the Regulation, would not apply to the activity carried out by the same.
In a note dated 22 April 2021 (prot. no. 22235/2021), the Office, on the basis of the elements acquired, notified Clearview, pursuant to Article 27 of the Regulation, that it had not appointed a representative within the meaning of Article 27.
notified Clearview, pursuant to article 166, paragraph 5, of the Code, of the start of the procedure for
the adoption of the measures referred to in Article 58(2) of the Regulation, concerning the alleged violations of
alleged violations of articles 5, par. 1, letters a), b and e), 6, 9, 12, 13, 14 and 15 and 22 of the
Regulation.
With the same note, the Company was invited to produce to the Guarantor defensive writings or
With the same note, the Company was invited to produce to the Guarantor defence writings or documents or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code).
In a note dated 22 June (prot. no. 33759/2021), following a request for an extension of the deadline on
In a note dated 22 June (ref. no. 33759/2021), following a request for an extension of the deadline dated 2 June (ref. no. 30734/2021), to which the Office replied on 4 June (ref.
30787/2021), Clearview submitted its statement of defence, stating that:
- since the end of 2019, American law enforcement agencies have been promoting the use of
Clearview products, especially in the context of child pornography investigations. This has resulted in
international interest in Clearview products, which has led to government agencies signing up for trial accounts.
trial accounts by European government agencies for a short period of time;
- in March 2020, following complaints received through European regulators,
In March 2020, following complaints received through European regulators, these trial accounts, which were small in number, were all closed and deactivated;
- Clearview no longer has any European test users or customers established in the European Union.
European Union: this is ensured by a specific setting which prevents access to the
the software via European IP addresses;
- The technology behind the service is designed to improve public safety by reducing investigation
investigation time and by assisting law enforcement in identifying criminals (including violent criminals, paedophiles and
(including violent criminals, paedophiles and drug traffickers). The Company highlights how
The Company points out that these activities are carried out and under the direct control of public authorities who, under their
authorities who, on their own responsibility, decide to use Clearview software.
subject to the conditions of use, which stipulate that it is the customer's responsibility to verify that the
that the use of this product is lawful in the light of the local regulations applicable to it.
Therefore, as with any technology supplier, we are not responsible for the
the use of technology or devices by customers;
- assessing the legal basis for customers' or potential customers' use of the software cannot be the Company's mission or responsibility.
customers cannot be Clearview's mission or responsibility;
- the Company contractually requires its customers to conduct further investigations in order to
independently corroborate all information collected using Clearview's technology, primarily the
Clearview technology, primarily the identification of the subject through its software;
no decision, to the best of the Company's knowledge, is made solely on the basis of the data
data provided by the Clearview software;
- With respect to jurisdiction, the Company, having recalled that it is based in the
U.S.A. and having no subsidiary in the European Union, the Company claims that Article 3,
Article 3(1) of the Regulation in that it is not established in the EU or in Italy and the inapplicability of
Article 3(2) of the Regulation (targeting criterion) both from the point of view of the supply of goods and services to
services to data subjects located in the European Union and the monitoring of their behaviour in so far as
monitoring of their behaviour in so far as the monitoring takes place in the European Union;
- with regard to the criterion of offering goods and services, irrespective of whether a payment by the data subject is compulsory or not
whether or not payment by the data subject is compulsory (Art. 3(2)(a) of the Regulation), the Company
reiterates that it does not offer goods and services to European customers. The Company argues,
on the basis of what has been established by the Committee for the Protection of Personal Data in the guidelines
guidelines no. 3/2018 and Recital 23 of the Regulation, that the analysis of the existence of the
criterion should be carried out in the sense of ascertaining whether Clearview's sales activity
is intentionally, and not inadvertently or accidentally, directed at persons who are in the
in the Union.
The Company considers that the arguments put forward by the Garante in its objection under Article 166 of the Code
are not suitable to prove the existence of the criterion for the following reasons:
- it is true that, in the past, Clearview has offered its products in Canada, as this is a market in which, for reasons of market access, Clearview has not been able to offer its products in the EU.
market where, for reasons of proximity to the US market, expansion is quite natural.
natural; however, as a result of the proceedings initiated by the Canadian
However, as a result of the proceedings initiated by the Canadian Privacy Commissioners, the Company has ceased all processing activities in that country and this cannot be a
this cannot be a proof of its intention to enter the Italian market;
- the media reports that Clearview intends to expand its activities in several countries, including, in particular, in Italy
countries, in particular Italy, cannot be used: these are speculations based on the fact that the
based on the fact that the company previously had test users in the European Union and cannot be
cannot be used to infer the Company's intention to offer products or services in Italy
in Italy;
- Clearview has received unsolicited requests for access to test accounts from European users, but such access has not been
unsolicited test account requests from European users, but such access is no longer available as the Company has decided not to
offer its product in the context of the European Union, even before the Garante
the present investigation; moreover, the notion of 'intention' (to provide services to data subjects in one or more
services to data subjects in one or more EU Member States) mentioned in Recital 23, must be
interpreted, in accordance with Guidelines 3/2018, as a deliberate and existing intention and not hypothetical and future
existing and not hypothetical and future;
- the measure taken by the Swedish Data Protection Authority concerns one of the
test accounts mentioned above and now no longer available. Moreover, these accounts have never been
never been made available to natural persons and in fact, in the Swedish decision, it appears that the
that the software had been used by Swedish law enforcement agencies;
- with regard to the criterion of monitoring the behaviour of data subjects who are in the
in the European Union, in so far as that conduct takes place within the Union (Article 3(2)(b) of the Directive)?
Union (Art. 3(2)(b) of the Regulation), the Company observes that, from the
Recital 24, the criterion in question relates to processing activities which enable
monitoring of the behaviour of data subjects, including the potential subsequent
use of personal data processing techniques. These techniques consist in the profiling
of a natural person, in particular, in order to take decisions relating to him or her or to analyse or predict his or her preferences.
analysing or predicting their personal preferences, behaviours and attitudes; from this
from this definition, it emerges that not all monitoring is relevant, but only those which
monitoring is relevant, but only those that concern or refer to the behaviour of the persons concerned, to be understood as specific
actions carried out by them (e.g. what they buy, where they go, how they live);
- in light of the above definition of monitoring, Clearview considers that it does not carry out
processing activities aimed at analysing the behaviour of the data subjects, nor does it create any
nor does it create any "profile" related to a natural person: Recital 24 of the
Recital 24 of the Regulation states that a processing activity can potentially be considered as
monitoring if 'natural persons are tracked on the Internet, including the possible subsequent use of data processing techniques'.
subsequent use of personal data processing techniques which consist in profiling a natural person'.
profiling of a natural person'. The term 'tracking' is not defined, but the
meaning of the verb must be understood in the sense that a person is tracked over time. The
The term 'profiling' is defined in Article 4(1)(4) of the Regulation and means
"any form of automated processing of personal data consisting of the use of personal data
personal data to evaluate certain personal aspects relating to a natural person'. Furthermore, the
Furthermore, the Committee explains that the term 'monitoring' implies that the controller
has a specific purpose for the collection and subsequent re-use of data concerning an individual's
an individual's behaviour within the Union;
- Clearview's only purpose is to offer a search engine to allow its users to search for images on the Internet.
of images on the Internet by its customers. The facial vectors that the Company uses to
The facial vectors that the Company uses to search for images cannot be used to infer or mathematically derive
mathematically infer or derive information about a person because they are not linked to name and/or location and/or other identifiers.
and/or other identifiers. Even if a facial vector is obtained, it could not be analyzed to
reveal intelligible information about a person's facial characteristics. Tracking over time
tracking over time is not possible because a search always produces only the results available at the time of the search.
results available at the time of the search. Therefore, even a comparison between searches
Therefore, even a comparison of searches made at different times does not allow a person to be traced; what can happen is that a
that a police officer finds an investigative clue and then conducts specific investigations which,
However, this is not done by the Clearview software. Certainly, the company concludes,
this is not tracking by automated means. The same applies to profiling, as
according to the Company's reconstruction, a police officer can draw conclusions about a person, for example
a person, for example because an image search produces a match with the suspect, but these conclusions are not
conclusions about a person, for instance because an image search produces a match with the suspect, but these conclusions are not drawn on the basis of Clearview's software, as the information comes from websites.
as the information comes from third-party sites;
- in order to be considered as monitoring within the meaning of this criterion, the processing of the
data by the data controller must be for the purpose of carrying out any subsequent behavioural analysis or use of the data.
subsequent behavioural analysis or the use of profiling techniques. Clearview does not
nor would it be technically capable of achieving those objectives; Clearview does not
objectives;
- the Garante itself does not appear to be able to indicate unequivocally whether the activities carried out
monitoring (only behavioural monitoring) or profiling, despite the fact that, as has already been stated
monitoring) or a profiling activity, despite the fact that, as already stated, no profiles are created
profiles are created and no analysis of their behaviour is carried out;
- Clearview argues that the mere collection of data, even of a significant volume, does not automatically constitute
does not automatically constitute monitoring;
- the Article 29 Working Party on Automated Decision Making concerning Individuals and
Article 29 Working Party on Automated Decision Making concerning Individuals and Profiling (Guidelines WP251), at page 7, states that the use of the verb 'to assess' suggests that
"assess' suggests that 'profiling involves some form of assessment or judgement about a person.
about a person. Simply classifying people based on known characteristics
characteristics such as age, sex and height does not necessarily lead to profiling.
Profiling depends on the purpose of the classification'. The example given in the
The example provided in the guidelines on the same page makes the point even clearer when it states that 'a company may want to classify its customers into different categories.
may want to classify its customers by age or gender for statistical purposes and to gain an aggregate view of its customers.
an aggregate view of its customers without making predictions or drawing conclusions about a specific person.
conclusions about a specific person. In this case, the purpose is not to evaluate individual
characteristics and therefore it is not profiling'. From this it is clear
that purpose is the decisive element in assessing whether processing falls within the definition of
profiling;
- the WP251 guidelines, on the same page, referring to the recommendation
CM/Rec. (2010)13 of the Council of Europe, specify that the activity of profiling is divided into three phases
in three steps: i) collection of data; ii) automated analysis to identify correlations; iii)
application of the correlation to a natural person to identify present or future behavioural
or future behaviour. It adds the indication that 'the data controller carrying out the
performing profiling shall ensure that it complies with the requirements of the
the requirements of the Regulation in relation to all of the above steps'. Even assuming that the
Clearview's system is involved in the first two stages, it is clear from the facts that the third stage is
outside the scope of what the Clearview software can do and the commercial position of the Company.
commercial position of the company. If characteristics of a natural person's present or
or future behaviour of a natural person through the use of the search results provided by the software, the
If any present or future behavioural characteristics of a natural person are identified through the use of the search results provided by the software, the data controller is not Clearview, but the customer who purchases the service.
The Swedish authority emphasised in its decision that the Swedish police (and only the police), as a customer of the software, is the data controller.
The Swedish authority stressed in its decision that the Swedish police (and only the police), as a customer of the software, was the controller and that it was independent from Clearview, the provider of the software.
independent of Clearview, the provider of the search tool;
- Clearview collects images and tags related to the Internet sources from which they are collected.
It is only when a customer queries the database by submitting an image to be searched that it is compared with the images.
to be searched, it is compared with those collected by Cleraview. Once the
Once the images are matched, the customer receives the result and Clearview achieves its commercial purpose by offering the previously
Clearview achieves its commercial goal by matching images that have previously undergone a hashing process.
hashing process; all subsequent activities and related data processing by the customer
processing of the data by the customer is not part of Clearview's business, but is a separate business decision based on the purpose for which it was made.
business decision and based on the purposes pursued by the customer in its capacity as autonomous data controller.
autonomous data controller;
- moreover, Article 3(2)(b) does not apply generically to profiling, but refers to behavioural
to behavioural monitoring and therefore requires that the controller's processing activities be
be carried out to obtain an analysis of the behavioural habits of individuals,
a purpose that Clearview is clearly not pursuing or achieving. The company does not classify
individuals in any way. In addition, the software is not capable of assessing, judging, or
predict behaviour; the data provided to the customer is simply images, metadata (if any) and
images, metadata (if any) and their source (URL) on the Internet at the time of the search;
- as regards the geolocation data referred to in Clearview's privacy policy, the term 'geolocation' is used to refer to geolocation data.
Clearview's privacy policy, the term geo-localisation refers only to the location metadata embedded in the photo, which indicates the location of the image.
embedded in the photo, indicating where the photo was taken. Clearview does not provide
Clearview does not provide such location metadata to customers, but if an online photo has embedded location metadata, the customer can see it.
embedded in the photo, the customer can see it when using the photo's URL link, just as anyone else viewing the photo on the Internet can.
anyone else viewing the photo on the Internet;
- with reference, finally, to the request of the complainant XX to provide a copy of his
Finally, with reference to the request made by the complainant XX to provide a copy of his identity document, which was contested as being unjustified, the
to provide a copy of his identity document, which was contested as being unjustified, the Company requires people who request access to data to provide an official photo ID.
official. Clearview has no means of verifying the identity of the people who appear in the images it collects and does not retain any means of verifying the identity of the people who appear in the images it collects.
Clearview has no means of verifying the identity of the persons appearing in the images it collects and does not retain any information about their names, e-mail addresses, residence or identity.
addresses, residence or identity, as is also clear from the results of the face search (Face Search).
Face Search Results that Clearview provides in response to data access requests.
Clearview provides in response to data access requests. It is impossible for the company to know from a simple name
know whether the person making a data access request is present in the database;
The Clearview software therefore needs a photo for the search to take place.
and in order to avoid fraudulent requests, the company has decided that this photo should be the one on an official
The Company has decided that this photo should be the one on an official document, such as an identity card. The Company does not
The Company does not retain images of ID cards or use them for any other purpose. This request does not
This request does not seem excessive, given that Article 12(6) of the Regulation expressly provides that
"[...] if the controller has reasonable doubts about the identity of the natural person
submitting the request referred to in Articles 15 to 21, he may require the provision of further
information necessary to confirm the identity of the data subject';
- with reference to complaints XX and XX, the Company reiterates that it is not subject to the
Regulation and that the privacy policy is consequently compliant with US standards.
standards. However, the Company is willing to act voluntarily to resolve the complaints and therefore
complaints and therefore to delete all the images and links produced by the image search for the photos provided by the complainants.
image search for the photos provided by the two complainants. The Company has voluntarily
extended the rights of those concerned to European residents as a gesture of goodwill and transparency.
goodwill and transparency, and it is in the same spirit that it is offering the deletion of the images and
images and links relating to the complainants, however this cannot be construed as acceptance of the
Italian jurisdiction and/or applicability of the GDPR, which are contested and strongly denied.
denied.
In a note dated 12 October 2021 (prot. no. 50926/2021), the Office, following the receipt of the complaints
XX and XX, notified Clearview, pursuant to Article 166(5) of the Code, of a supplementary complaint
Article 166(5) of the Code, the Office has notified Clearview of a supplementary complaint and, at the same time, initiated the procedure for the adoption of the measures referred to in Article 58(2) of the Regulation.
58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1 lett.
a) and b), 6, 9, 12, 13, 15 and 27 of the Regulation.
With the same note, the Company was again informed of the possibility of producing
With the same note, the Company was again informed of the possibility of producing defensive writings or documents and possibly of requesting to be heard by the Authority (art. 166,
paragraphs 6 and 7 of the Code).
By note dated 11 November 2021 (prot. no. 56766/2021), Clearview submitted its own
defensive memorandum, stating that:
- the Company does not operate in any member state of the European Union, does not monitor the
Company does not operate in any member state of the European Union, does not monitor the behaviour of interested parties located in the European Union and therefore no European authority has
jurisdiction over its activity, except in violation of the international principle of territoriality;
- there is no legal basis to justify administrative proceedings against
companies which are not established in Italy and which do not do business in Italy; such proceedings would
would violate U.S. public order;
- with specific reference to the Regulation, the Company reiterates the non-applicability of art. 3,
paragraph 2, letters a) and b), which establishes the criteria for the application of the Regulation to companies that are not
established in the European Union;
- in particular, Article 3(2)(a) of the Regulation is not applicable because
Clearview does not offer products and services in the Union, as already pointed out in previous
correspondence. The Company reiterates that it provides an image search engine for law enforcement agencies outside the Union.
outside the Union;
- moreover, Article 3(2)(b) applies to the "behavioural monitoring" of data subjects
in the Union. Although there is no definition of monitoring, the word itself and the ratio
wording and the rationale of Article 3 make it clear that it requires the observation of a natural person for a certain period of time.
of time;
- Recital 24 clarifies that in order to determine whether processing consists in the
monitoring of behaviour, it must be ascertained whether the natural person is tracked on the Internet.
(tracked) on the Internet. In this regard, the contribution of Thaomas Zerdick, a member of the European Commission's
drafting team of the European Commission on the Regulation, who argues that the
Article 3(2)(b) must be equivalent to the surveillance of a person (citing as an example, systems that
person (citing as an example systems that take photographic snapshots vs.
real-time monitoring systems);
- Clearview's search engine only provides snapshots of photos available on the Internet
at the time the customer performs the search. The Company does not collect or provide any
information about the location, browser history, business activity or behaviour of the individual
The Company does not collect or provide any information about the location, browser history, business activity or behaviour of the natural person who appears as a search result and does not imply any behavioural
behavioural, predictive or analytical models. The information that can be
The information that can be obtained about an individual using Clearview's search engine is less significant
information that can be obtained about a person using Clearview's search engine is less meaningful than that which can be obtained from a
search based on that same person's name, and no one claims that a Google browser search constitutes behavioural
constitutes behavioural monitoring;
- if, for instance, one were to do a Google Search with the names of the complainants,
Google Search with the names of the complainants, limiting it to images, the answer would provide photos, presumably of the complainants, as they are
freely available on the Internet. In addition, clicking on the results would direct the URL to the websites where the photos appear.
Furthermore, by clicking on the results, the URL would direct to websites where the photos appear and from which further information could be obtained (the
(the company provides screenshots of a similar Google search with the names of the complainants XX and XX); and
XX and XX);
- as is well known, Google's search engine does not monitor individuals, but rather an algorithm that makes accessible
an algorithm that makes information published on the Internet accessible. Google provides a
snapshot of the most relevant pieces of information on a specific search at the moment of execution of that search.
search. The same happens with the results of a search made with the product of
Clearview product. There might be elements (leads) for further searches, but nothing more;
- It is clear from the wording of Recital 24 of the Regulation that the legislature
the legislator intended to refer to a subsequent use of the information derived from the
from the text of Recital 24 of the Regulation, so that constant monitoring is a prerequisite for any 'subsequent use'.
"Clearview's technology does not produce such information, but only the results of a search, which the customer can then use.
research that the customer can then use to make further research, also on the basis of other sources of information.
of information. Clearview is only a search engine;
- the company only provides a tool, it is not the owner of the search conducted by the user of the tool, and
by the user of the tool and of any subsequent use of the search results. It is the
Clearview's customer who decides to use the search engine to search for his images,
uploading an image to obtain the results corresponding to that image.
what to do with the search results. So, it is the customer who decides whether the tool can be used within a specific
within a specific regulatory framework and Clearview is paid for the tool, not the search results.
Clearview is paid for the tool, not for the results of the search or what the customer will do with the results of the search; Clearview is paid for the tool.
research results;
- this interpretation is confirmed by Article 25(1) of the Regulation, which provides that
that the controller, when determining the means of processing, must ensure that the parameters of the
parameters of the Regulation are respected. Consequently, the onus is on the client, who is the
Accordingly, the onus is on the customer, who is the data controller, to determine whether and how to use Clearview's search engine. This
This approach also explains why the Swedish and Finnish data protection authorities
This approach also explains why the Swedish and Finnish Data Protection Authorities have initiated proceedings against national law enforcement agencies and not against Clearview.
against Clearview;
- the Supervisor will also have to take into account the fact that the company has implemented
technical measures to ensure that searches cannot be carried out from the European Union
European Union or Italy. These measures have been taken in order to remove any doubt under
under European law, given that the product is not offered to or within the European market; 

- the Company therefore requests that the Garante close the proceedings for lack of jurisdiction;
- in a globalised world, it is impossible to take all existing laws into account when designing a product.
Clearview complies with US law and, since the Regulation does not apply to its services, there is no need to examine it further.
Clearview complies with US law and, since the Regulation does not apply to its services, there is no need to examine it further.
Moreover, since Google's search engine is presumed to comply with European laws as
search engine is presumed to comply with European law since Google is established in the Union and offers its services to users in the Union, even if the Regulation were found to be applicable to Clearview, it would not be necessary to examine it further.
Clearview, the processing of the complainant's data would have to be considered lawful.
should be considered lawful;
- although the Company does not offer its products in the European Union and the Regulation does not apply to it, Clearview
the Regulation does not apply, Clearview voluntarily complies with requests for access from European residents; and
European residents;
- the Company has complied with the request of the complainant XX on 29 April 2021 and has
responded to Complainant XX's request on 29 September 2021, prior to the notification of the
supplementary complaint of the Guarantor;
- the Company takes the complainants' grievances into serious consideration and offers to
implement measures to ensure that the two persons concerned are no longer searched on the search engine.
the subject of searches on Clearview's search engine. Given that these measures involve
costs and resources, the Company asks whether intervention could help settle the cases.
cases.
3. OUTCOME OF THE INVESTIGATION
3.1 CHARACTERISTICS OF THE SERVICE OFFERED
Clearview is a company, with registered office in the United States, incorporated in 2017, which has created a
facial recognition search engine. On the basis of
information obtained in the course of mutual assistance with other European supervisory authorities
the information disclosed by the Company itself and the complaints and reports received by the
complaints and reports received by the Garante, it appears that the facial recognition platform developed by Clearview allows the
Clearview's facial recognition platform enables it to search for images in its own database. The Company, in fact, collects, through
web scraping techniques, images from social networks (e.g. Twitter or Facebook), blogs and, in general,
from websites with publicly accessible photos, but also from videos available online (e.g. on Youtube).
available online (e.g. on YouTube). The images thus collected are processed using biometric techniques in order to
The images collected in this way are processed using biometric techniques in order to extract the identifying characteristics of each of them and, subsequently, transformed into 'vector representations'.
"vector representations". These representations, consisting of 512 vectors tracing the various unique lines of a face, are then transformed into 'vector representations'.
unique lines of a face, are subsequently hashed for database indexing and subsequent search purposes.
indexing of the database and subsequent search. The Company creates, therefore, biometric
(The Company creates biometric templates that, in the research phase, are compared with the sample being researched.
The Company therefore creates biometric templates that, in the research phase, are compared with the sample being researched, generating a 1-to-N (one-to-many) verification process. The image
hash, the unique identifier of each image (a sort of facial fingerprint), facilitates,
as mentioned, the indexation and subsequent search. The platform was explicitly created
to generate high-quality investigation leads.
Each image can be enriched with associated metadata (e.g. title of the image or web page, link to the source).
web page, source link, geolocation, gender, date of birth, nationality, language)
nationality, language) so that when the software identifies a match, it extracts all the relevant
images from the database and presents them to the service client as the result of the search, together with metadata and
the service customer as a result of the search, together with the associated metadata and links, thus making it possible to trace each individual
source.
An image collected in this way remains in the database even if the original photo or reference web page is subsequently removed or made private.
page is subsequently removed or made private.
As can be seen from the company's website (https://...) the platform 'includes a database of over
10 billion facial images from public web sources, including news media, mug shot websites, social media
mugshot websites, public social media and other publicly available sources'.
The machine learning technology that underpins the Clearview platform was the subject of a
patent application filed in February 2021 with the US Patent & Trademark Office on 11 February
2021 and to the World Intellectual Property Organization.
This application shows that the technology, referred to as "Method for providing information about a
based on facial recognition", comprises various methods for providing information about a person based on facial recognition.
a person based on facial recognition and various applications thereof, including face-based check-in, face-based personal
face-based check-in, face-based personal identification, face-based identity verification,
face-based background checks, facial data collaborative network, face-related search and face-based personal identification.
and face-based personal identification. These methods are represented as
capable of providing accurate information about a person in real time.
The Company's own patent application provides precise details on how the technology works.
of the technology. The system consists of the following steps: i) receiving facial image data including at least one
i) receiving facial image data comprising at least one facial image of the subject from a user's device
(i) receiving facial image data including at least one facial image of the subject from a user's device)
comparison, via a server, of the reference facial recognition data with facial recognition data associated with a
(iii) Comparison, via server, of reference facial recognition data with facial recognition data associated with a plurality of stored facial images in order to
(iii) Comparison, via server, of reference facial recognition data with facial recognition data associated with a plurality of stored facial images in order to identify at least one likely candidate corresponding to the captured image
(iv) based on the identification of the candidate corresponding to the captured facial image, retrieval from the
(iv) Based on the identification of the candidate corresponding to the captured facial image, retrieval from the database of the personal information associated with the candidate.
(v) returning the personal information to the user's device and ensuring that the user's device displays the personal information.
personal information.
Clearview, therefore, not only collects images to make them accessible to its customers, but
Clearview not only collects images to make them accessible to its customers, but also processes the collected images through web scraping, using a proprietary facial
matching algorithm in order to provide a highly qualified biometric search service.
Moreover, according to the information available on Clearview's website, the free service offered is not
freely accessible to the public, but is intended for certain categories of customers (i.e. police forces).
police forces).
This leads to the conclusion that Clearview's platform has specific characteristics that differentiate it from
which differentiate it from a common search engine that does not process or enrich images on the web.
search engine that does not process or enrich images on the web. In particular, Clearview does not work on cache memory, but creates a
but creates a database of image snapshots that are stored as present at the time of collection and not updated.
and not updated. Moreover, as mentioned above, Clearview processes these images with biometric techniques, hashes them and associates them with the network.
Moreover, as mentioned, Clearview processes these images using biometric techniques, hashes them and associates them with any available metadata.
The statements made by the Company to the effect that the service it offers is superimposable on the service
The Company's allegations that the service it offers is similar to the service offered by Google Search therefore appear to be unfounded.
3.2. EXISTENCE OF EU JURISDICTION
Article 3 of European Regulation No 2016/679 governs its "Territorial scope of application
identifying different requirements depending on whether or not the data controller is established in the territory of the European Union.
not established in the territory of the European Union.
In the present case, Clearview has not identified an establishment in Europe and therefore, in order to
conduct an assessment of the applicability of European data protection legislation to the processing carried out by the Company
Company's processing of personal data, it is necessary to verify whether the criteria of
existence of the criteria set out in article 3, paragraph 2, of the Regulation (so-called targeting). Such criteria are
the offer of goods or services to data subjects located in the EU or the performance of
conducting, with respect to the latter, an activity related to the monitoring of the behaviour of
monitoring of their behaviour, in so far as the latter takes place in the Union.
First of all, it must be said that, in order for the targeting criterion to apply, the data being processed must relate to data subjects in the
data must relate to data subjects in the Union. In the present case, the fact that Clearview
processing of personal data of persons located in the European Union and, in particular, in Italy, can be
In the present case, the fact that Clearview is processing personal data of individuals in the European Union and, in particular, in Italy, is clear from the evidence that the company has provided to the complainants, from which it is
that images of the complainants have been collected, that such images have been associated with
associated with metadata and subjected to biometric processing (these images are, in fact, the result of the identification
result of the identification resulting from the comparison of the data stored in the database with the sample provided by the complainants).
database with the sample provided by the complainants), but also, indirectly, from the evidence that emerged in the context of the
proceedings initiated by the European supervisory authorities (cf. the decision of the German
Authority of the Land of Hamburg (decision 545/2020; 32.02-102) and the Commission Nationale de l'Informatique et des Libertés
l'Informatique et des Liberté (CNIL, Decision n° MED 2021-134 of 1st November 2021 issuing an
order to comply to the company CLEARVIEW AI).
ART. 3, PAR. 2, POINT. (A) OF THE REGULATION
With regard to the first of the profiles considered (see Article 3(2)(a) of the Regulation), Clearview, in the course of the
Clearview, in the course of the procedure, has stated that it does not offer services in Europe and that it does not have any European customers using the facial recognition system.
using the facial recognition system produced by the Company.
However, the data controller's considerations are contradicted, with reference to
However, the arguments put forward by the data controller are contradicted, with reference to what has happened so far, by the measure recently adopted by the Swedish Supervisory Authority
(DI-2020-2719:A126.614/2020 of 10 February 2021) in relation to the use of the facial recognition
the facial recognition system offered by Clearview by members of the national police force, which
the use of the facial recognition system offered by Clearview by national law enforcement officers, which presupposes, ab origine, that the service was used by European users.
service by European users.
In addition, as Clearview stated in its memorandum of 22 June (prot. No 33759/2021), in the course of 2020 the company has decided to use the service for European users.
during 2020, the company has decided to close its European accounts and no longer offer its product in the
European accounts and to no longer offer its product in the context of the European Union, by blocking access to European IPs. Therefore, by Clearview's own
therefore, by Clearview's own admission, up to a certain date the company was - and had the intention to
its services in Europe as well.
For the purposes of the applicability of the targeting criterion set out in Article 3(2)(a) of the Regulation,
on the basis of the indications contained in the "Guidelines 3/2018 on territorial scope
adopted by the Committee for the Protection of Personal Data on 12 November 2019, it is required that the
conduct of the "controller, which determines the means and purposes of the processing ,
demonstrates its intention to offer goods or services to a data subject located in the Union' (cf.
paragraph 2.a of the cited Guidelines). In particular, Recital 23 of the Regulation states that
"[w]hile the mere accessibility of the website of the controller, processor or
controller or an intermediary in the Union, an e-mail address or other contact details or the use of
contact details or the use of a language customary in the third country where the controller is established are insufficient.
the controller is established are insufficient to ascertain such an intention, factors such as
the use of a language or currency customarily used in one or more Member States, with the
language or currency customarily used in one or more Member States, with the possibility of ordering goods and services in that other language, or the mention of customers or users located in the Union, may indicate an intention to do so.
in the Union may indicate the controller's or processor's intention to offer goods or services to data subjects in the Union.
to offer goods or services to data subjects in the Union'.
The Court of Justice of the European Union itself (Pammer v Reederei Karl Schlüter GmbH
& Co and Hotel Alpenhof/Heller (Joined Cases C-585/08 and C-144/09), the Court of Justice of the European Union has also indicated a number of factors
factors for considering that a commercial activity carried on by a person is directed towards a Member State, citing the
Member State, citing, inter alia, the fact that the European Union is referred to by reference to the goods or
the fact that the European Union is mentioned in relation to the goods or services offered, the international nature of the activity, or
the launch of advertising and marketing campaigns aimed at the public in an EU country.
The intention of the data controller to target the European market, as well as being confirmed by the
decision of the Swedish Data Protection Authority referred to above and the note of June 2021 referred to above.
June 2021 mentioned above, is also evident from the terms in which the privacy policy was formulated before the amendments made to the
policy was formulated prior to the amendments made as of 20 March 2021, i.e. at a time
between the first request for information by the Guarantor, dated 9 March 2021, and the subsequent reply provided by the
and the subsequent reply provided by the company on 25 March 2021.
Until then, that information contained, in fact, a series of indicators from which it was possible to
from which it was possible to infer the intention of the data controller to address the offer of its service also to
users from the European Union, including the legal basis of the processing, in line with the provisions of
the legal basis of the processing, in line with the provisions of Article 6 of the Regulation, the commitment to adopt adequate guarantees to comply with the rules
protection of personal data in the event of any transfer of data outside the European Economic Area and the
the European Economic Area and the possibility for residents of the European Economic Area or Switzerland to lodge a complaint.
European Economic Area or Switzerland to lodge a complaint with the competent Data Protection Authority concerning the
the processing of their data by Clearview.
In particular, two points of the information notice seem relevant, the one on "Independent Recourse" and the following one on "International Transfers".
and the next one on 'International Transfers'. The first one states that 'Residents of the European
Economic Area or of Switzerland who wish to submit a complaint or seek resolution of a dispute
related to Clearview AI's processing of personal data may seek appropriate recourse free of charge by contacting the appropriate Data Protection
charge by contacting the appropriate Data Protection Authority (DPA) in their respective
country"[emphasis added], while the second states that "The personally identifiable information we receive in the
information we receive in the computers and systems of our offices in the United States is
processed by us in the United States, where laws regarding data protection may be less stringent
than the laws in your country. When personal data is transferred outside the EEA, we will put in place
place suitable safeguards to ensure that such transfer is carried out in compliance with applicable
data protection rules. Clearview deeply values user privacy and data security controls; our
cybersecurity infrastructure includes technical and policy controls that are consistent with the
requirements of General Data Protection Regulation' [emphasis added].
Furthermore, with specific regard to the recipients of the service, the "Terms of Use of the Service",
applicable from 17 January 2020 provided that "User" shall mean
"each organisation (...) and all persons accessing the Service as an Executive User
and all persons accessing the Service as Executive Users or Permitted Users'.
broader range of people than just law enforcement officers, to whom Clearview referred in its findings.
Clearview has referred to in its findings, and confirms that it has made available to European government agencies
agencies until March 2020.
Article 3(2)(b) of the Regulation
The second of the criteria of targeting identified, that is, that of Art. 3, para. 2, letter b), leads to
the application of the European Data Protection Regulation to the processing activities related to the
monitoring of the behaviour of data subjects in the European Union which takes place within the
Union.
The nature of the processing activity that can be considered as conduct monitoring
is specified in Recital 24 of the Regulation, which provides that in order to "determine whether
a processing activity can be assimilated to behavioural monitoring of the data subject, it is
individuals are being tracked on the Internet, including the possible subsequent use of personal data
subsequent use of personal data processing techniques consisting in the profiling of the
individual, in particular in order to take decisions concerning him or her or to analyse or predict his or her
their personal preferences, behaviours and attitudes".
The aforementioned Guidelines 3/2018 specify that, for the provision to be operational,
it is not necessary to investigate the existence, on the part of the data controller, of the intention to
"to target a subject", but that, nevertheless, "the use of the word "monitoring" implies that the
has a specific purpose in mind for the collection and subsequent re-use of relevant data about a person's behaviour.
of relevant data about the behaviour of a natural person within the EU' (see para. 2.c of the cited
c of the above-mentioned Guidelines) and that, in this respect, it is essential to assess whether there is any tracking
of natural persons on the Internet, including the possible subsequent use of profiling techniques.
profiling techniques.
The processing carried out by Clearview consists, as represented, in the collection of
images from the web (so-called web scraping) and their processing with automated tools in order to
create vectorial representations of faces and, subsequently, to hash them in order to index the data, an operation necessary to
necessary to establish a possible correlation with the images being compared uploaded by users.
images uploaded by users. The activity carried out does not therefore appear to be superimposable, as
declared by the company, to that carried out by any search engine, taking into account that the
that the data controller carries out a technical processing of the images collected, so as to make them 'biometric data'.
to render them 'biometric data', which are moreover associated with information that is certainly capable of
identify the person portrayed.
The information notice published on Clearview's website indicates, in fact, that, in addition to the photographs
available to the public and available on the internet, also the information which can be extracted
from these photographs, such as the geolocation metadata they may contain,
as well as information derived from the analysis of the faces of the persons depicted and which, as such,
constitute, as said, biometric data on the basis of which the process of
is carried out.
But it is precisely this last step that constitutes the key to understanding the entire collection and processing process carried out by Clearview.
The purpose of this last step is the key to understanding the entire collection and processing process carried out by Clearview, which aims to create a data set to which the uploaded images can be compared.
to compare the images uploaded by the user and then extract, from its own archive, the images that can be associated with them from a single point of view.
images that can be associated with them from a biometric point of view, as well as related information. The
search mechanism is therefore a means of activating a process of comparison which
The search mechanism is therefore a means of activating a process of comparison that qualifies the purpose of the processing carried out by the supplying company, as well as that carried out by the customers who use the service.
the customers who use the service. There is therefore a correlation between the two types of
of processing, which is also recognised in the European Regulation when, for the purposes of data
when, for the purposes of applying the targeting criterion, it refers to the circumstances in which "the
processing activities are related to (...) b) the monitoring of their behaviour as far as their
behaviour takes place within the Union'.
The information in question is stored in Clearview's database and is enriched over time with other extracts.
The information in question is stored in the Clearview database and is enriched over time with new templates reflecting physical
the physical changes made by the same person, as can be seen from the examination of some of the complaints
complaints lodged with the Authority (see in particular the complaint lodged by Mr XX). It follows that Clearview
not only offers as a search result a simple correspondence, but also a repository of
but also an archive of resources that stretches over time. The assessment of that fact, together with the comparative purpose
The assessment of this circumstance, together with the comparative purpose outlined above, is capable of constituting, as required by Recital 24,
an activity assimilated to the monitoring of the conduct of the data subject in that it is carried out
by means of internet tracking and subsequent profiling.
Contrary to Clearview's objections in its defence (see Memorandum No 33759 of
22/06/2021), the activity carried out by Clearview does not appear to be attributable to a mere classification
of individuals on the basis of known characteristics such as age, sex and height, since a further activity consisting in the
biometric data are extracted from images collected on the web and used for comparison purposes.
images collected on the web, using them for comparative purposes, and then retrieving the information associated with them.
associated information. The same Company, in the patent application filed with the US Patent & Trademark
Office on 11 February 2021, in describing the purposes of the processing carried out through the use of
facial recognition tools, highlights the potential suitability of such a system to be used for the purpose of acquiring
to be used for the purpose of acquiring accurate information about persons and assessing their
specific characteristics. And it must be considered that search engines, to which Clearview
Clearview seeks to assimilate its activity to, also carry out a type of processing which, albeit by different
carried out with instruments other than those used by the company, may have the effect of
constructing a personal profile of the person concerned - to whom the search refers - by virtue of the association
the association created between the information resulting from it. In this regard, it should be
consider that the Court of Justice of the European Union, with the judgment of 13 May 2014
C/131-12 (Google Spain), found that the operator of a search engine carries out treatment
a treatment distinct from that carried out by the publishers of the websites, to which it adds, inasmuch as it allows the
in that it enables data to be made accessible 'to any internet user who carries out a search
from the name of the person concerned, even to those users who would not otherwise have found the web page on which they
users who would not otherwise have found the web page on which those data are published' (see paragraph 36 of the judgment),
stating, moreover, that 'the organisation and aggregation of information published on the Internet, carried out by search engines in order to
Internet, carried out by search engines in order to facilitate access to that information for their users, may have the
their users access to that information, may have the effect that those users, when their search is made from
from the name of a natural person, they obtain through the list of results a structured overview of the information relating to that person.
structured overview of the information relating to that person available on the Internet, which
which enables them to establish a more or less detailed profile of that person' (see paragraph 37 thereof).
(see point 37 thereof).
Article 4(1)(4) of the Regulation describes 'profiling' as 'any form of automatic processing of personal data consisting of
automated processing of personal data consisting of the use of (...) personal data for the purpose of
assessing certain personal aspects relating to a natural person, in particular to analyse or predict
predict aspects of a natural person's professional performance, economic situation, health, personal
personal preferences, interests, reliability, behaviour, location or movements of that natural person'.
or movements of that natural person.
On the basis of the provisions of the 'Guidelines on automated decision-making relating to
individuals and profiling", adopted by the Committee for the Protection of Personal Data
on 3 October 2017 and amended on 6 February 2018, "the widespread availability of personal data on the
Internet and those obtainable from Internet of Things devices, coupled with the ability to find
correlations and make connections, can enable the determination, analysis and prediction of
aspects of a person's personality, behaviour, interests and habits." The
cited Guidelines identify three specific phases that characterise the activity of profiling, establishing that it must
establishing that it must (a) concern personal data, (b) be a form of automated processing
and c) be aimed at assessing personal aspects relating to a natural person.
These steps are certainly integrated into Clearview's processing, including,
including, contrary to the company's assertion, the moment of assessment, which can be said to coincide
with the biometric comparison activity - carried out following the execution of a search by the user - and with the
the user - and with the subsequent extraction of the profiles that can be associated with the image loaded into the system.
system. This part of the process, which is always carried out by Clearview, is quite distinct from any additional
from any further evaluation activity that may be carried out by the end user on the basis of the
results of the consultation and which, although related to the former in the sense required by Art. 3.2.b,
is not superimposable on it, as the company argues in its defence.
The overall assessment of the circumstances set out above leads to the conclusion that the following conditions are satisfied
for the applicability of Article 3(2) of the Regulation and of the rules contained therein in the light of which
the processing of personal data of Italian data subjects carried out by Clearview must therefore be assessed
by Clearview (see on this point also the decision of the German supervisory authority of the Land of Hamburg
(decision 545/2020; 32.02-102) and of the Commission nationale de l'informatique et des liberté
(CNIL, Decision n° MED 2021-134 of 1st November 2021 issuing an order to comply to the
company CLEARVIEW AI).
3.3. EXISTENCE OF THE COMPETENCE OF THE GUARANTOR
The processing carried out by Clearview qualifies as cross-border processing of personal data within the meaning of
of personal data within the meaning of Article 4(1)(23) of the Regulation, as it is likely to affect data subjects in more than one
data subjects in more than one Member State.
For this type of processing, where the data controller has established a single or main establishment in the European Union, it is possible for the data to be processed across borders.
establishment in the European Union, the cooperation mechanism described in Articles 60 et seq. of the Regulation applies.
Articles 60 et seq. of the Regulation, whose management is entrusted to the so-called "Lead Supervisory Authority", which coincides with the Supervisory Authority.
which coincides with the supervisory authority of the Member State in which the establishment is located.
However, in cases where the prerequisite for the operation of this mechanism is not met, i.e. the presence in the European territory of a
the presence on European territory of an establishment of the data controller, the latter will have to
"interface with the supervisory authorities of each Member State in which it operates through the designated
representative' (see par. 3.3. of the 'Guidelines on the Lead Supervisory Authority' adopted by the Article 29 Working Party on
adopted by the Article 29 Working Party on 13 December 2016, revised on 5 April 2017 and taken on
by the Data Protection Committee on 25 May 2018).
In the present case, Clearview is a company based in the United States of America which does not have
establishments in the territory of the European Union and, therefore, on the basis of the provisions of Art. 55,
of the Regulation, "each supervisory authority shall be competent to carry out the tasks assigned to it and to
the powers conferred on it under the Regulation in the territory of the respective Member State'.
Member State'.
This provision is therefore capable of founding the competence of the Italian Data Protection Authority
with regard to the assessment, with regard to its own territory, of the conformity with the European
of the processing of personal data carried out by Clearview and to exercise the powers conferred on it by
authority to exercise the powers conferred on it by Article 58 (see similar conclusion contained in paragraph IV of the decision of the
Commission nationale de l'informatique et des liberté - CNIL, Decision n° MED 2021-134 of 1st
November 2021 issuing an order to comply to the company CLEARVIEW AI).
3.4 EXISTENCE OF PERSONAL DATA PROCESSING AND GENERAL CONSIDERATIONS ON THE LAWFULNESS THEREOF
GENERAL CONSIDERATIONS ON THE LAWFULNESS OF THE PROCESSING
It should first be noted that a photographic image constitutes "personal data" within the meaning of Article 4(1)(1),
of the Regulation, 'personal data' in so far as it enables a natural person (data subject) to be identified.
person (data subject). The same provision specifies that an identifiable person is 'a person who
can be identified, directly or indirectly, with particular reference to [...] one or more
characteristic elements of his physical identity'. On the subject of photographic images, the
the Court of Justice of the European Union has intervened specifically on the subject of photographic images, stating that "the image of a
image of a person recorded by a camera constitutes personal data within the meaning of the provision
mentioned in the previous point [Art. 2.a of Directive 95/46, ed.
makes it possible to identify the person concerned" (see judgment of 11 December 2014, Case C-212/13,
para. 22).
Personal data obtained by specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person which allow or confirm their
unambiguous identification, such as facial image, are defined as 'biometric data' within the meaning of Art,
Article 4(1)(14) of the Regulation and, as such, are subject to the system of greater protection provided by Article 9 of the Regulation.
9 of the Regulation.
The difference between the two types of data is well defined by recital 51 of the Regulation,
according to which 'the processing of photographs should not systematically constitute the processing of
of special categories of personal data, since they fall within the definition of biometric data
only when they will be processed by means of a specific technical device enabling
identification or authentication of a natural person'.
As regards the concept of 'processing', it should be noted that it is defined by Article 4(1)(2) of the Regulation as 'any operation for the processing of personal data'.
2) of the Regulation 'any operation or set of operations [...] which is performed upon personal data the
sets of personal data, such as collecting, recording, organising, structuring, storing, adapting or amending
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination
by transmission, dissemination or otherwise making available, comparison or
interconnection, restriction, erasure or destruction'.
As set out in section 3.1, the investigation has shown that Clearview has created a database of more than
database of more than 10 billion facial images, which are collected on the Internet through web scraping techniques and
web scraping techniques, are subjected to a biometric processing process with subsequent hashing
for indexing and search purposes, by making the database available to third parties.
third parties.
Given that the data in question are classifiable as common and biometric data, it is necessary to analyse
whether the activity carried out by the Company can be qualified as processing within the meaning and for the
effects of the Regulation.
In this regard, it seems first of all necessary to recall that the public availability of data on the
Internet does not imply, by the mere fact of their public status, the legitimacy of their collection by third parties.
by third parties. In fact, any data that is published online undergoes such a processing operation (namely, dissemination).
processing (in particular, dissemination) on the basis of a legal basis and for specific and
and legitimate purposes established and pursued by the data controller who ordered its publication.
publication.
Also the so-called OSINT techniques (open-source intelligence) which consist in the collection and
and processing of information, including personal data, from freely available sources, such as the Internet and
information, including personal data, from freely available sources, such as the Internet and public data, can only be carried out on an appropriate legal basis, as
recently clarified by the European Data Protection Supervisor with reference to
the aforementioned activity carried out by Europol (see EDPS Opinion on the possibility to use
Clearview AI and similar services at Europol (Case 2020-0372)).
Similarly, it should be noted that the publication of personal data on the Internet by the individual
Internet, for instance in the context of a social media network, is not in itself a sufficient condition to legitimise the use of Clearview AI.
a sufficient condition to legitimise their free re-use by third parties. If,
Indeed, if it is true that the Regulation (and, therefore, in this case, the principle of purpose under Art. 5,
par. 1(b) of the Regulation) does not apply to the processing of personal data carried out by a
a natural person for the exercise of activities of an exclusively personal or domestic nature (so-called household exemption, referred to in Art. 5(1)(b) of the Regulation).
household exemption, referred to in Art. 2(2)(c) of the Regulation), also with reference to
online activities, it is also true that the exemption must be interpreted restrictively. As stated by the
As stated by the Court of Justice of the European Union, the exemption 'covers only activities which fall within the
the private or family life of individuals, which is manifestly not the case with the processing of personal data consisting in their processing on the Internet.
which is clearly not the case with the processing of personal data consisting in their publication on the internet in such a way as to make them accessible to an indefinite number.
the Internet in such a way as to make those data accessible to an indefinite number of persons" (see judgment of 6 November 2003, Case C- 101/01, par. 47).
101/01, par. 47). It must therefore be held that the publication of personal data by the data subject on social networks is also bound by the obligation to publish them.
the data subject on social networks is also subject to the mere purpose for which the data subject intended to
(e.g. visibility within a particular social network for the sole purposes of the use of that SNS).
purposes underlying the use of that SNS).
The correctness of the thesis is supported by the Article 29 Working Party, which clarified "that,
even if personal data have been made accessible to the public, they continue to be regarded as such
and, consequently, appropriate safeguards continue to be required for their processing' (see
Opinion 6/2014 - WP217) and, more recently, by the Committee for the Protection of Personal Data, which
which has established that 'any communication of personal data constitutes a specific
processing for which the controller must have a legal basis among those referred to in Article 6", that
'the transmission of films to third parties for purposes other than those for which the data were collected is
purposes for which the data were collected is possible under Article 6(4)' and, finally, that 'the receiving third party will have to carry out its own legal analysis, in particular by identifying
its own legal analysis, in particular by identifying the legal basis of its processing under Article 6' (cf.
accordance with Article 6" (see Guidelines 3/2019 on the processing of personal data by means of
video devices, version 2.0, 29 January 2020).
As regards, in particular, data scraping, this is a particular mode of collection which takes place
completely without the knowledge of the data subjects.
As mentioned above, the possible public nature of the images is not sufficient for the data subject to reasonably expect them to be used.
reasonably expect them to be used for facial recognition purposes,
moreover, by a private platform, not established in the European Union and of whose existence and activity most of the persons concerned are unaware.
existence and activities of which most of the data subjects are unaware.
In addition, web scraping activities are almost always prohibited by social networking service providers through explicit clauses.
social networking services, by means of explicit clauses contained in the terms of service.
This is so much so that, in the present case, press reports have shown that some of the major providers of such services (Twitter, Youtube, LinkedIn) have
(Twitter, Youtube, LinkedIn) have sent Clearview a warning to stop collecting data that can be used to identify an individual.
that can be used to identify a person (cease and desist letter).
On the basis of the above, it can reasonably be concluded that the collection of personal data
freely available on the Internet by means of web scraping techniques constitutes processing of personal data, which must be
personal data, which must be justified by one of the legal bases provided for in Article 6 of the
Regulation.
If we wish to transpose this principle to the present case, we consider that the activity of web scraping of
of images carried out by the Company constitutes the collection of personal data, which
constitutes the processing of personal data.
In the present case, however, the Company does not limit itself to collect images from the Internet, given that,
further processing operations are carried out on such data, in this case, biometric processing and indexing by means of hashes.
biometric processing and indexing by hashing. More in detail, the images depicting faces of
persons are subjected to further operations of treatment (vectorial representation)
which transform the common image (personal data) into a facial image (biometric data).
Finally, the operation of interconnection of the image data (common and biometric) referred to above with metadata collected, stored and processed by the data controller, is to be added.
above with metadata collected, stored and associated with the facial images, which, in turn,
may contain personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs.
religious or philosophical convictions, trade union membership (the images may in fact be obtained from
found on websites of associations of believers of a certain religion or of members of a trade union or political party).
political party), circumstances that confirm the peculiarity of the processing carried out by Clearview.

of the collection, creates the algorithm to be used for the creation of the vector representations, and
and determines which hash function to use to store the images in this way, also determining the parameters necessary for indexing the information and enriching it with metadata.
necessary parameters for indexing the information and enriching it with metadata for more effective search results.
for more effective search results.
The company therefore uses its own means to collect images and subsequently transform them into biometric data.
The company therefore uses its own resources to collect images and transform them into biometric data.
The company uses its own means to collect images and subsequently transform them into biometric data, and has a proprietary database in which the information is stored and extracted as a result of the search performed by the user. The
Clearview's aim is to make available, for a fee, information such as images and metadata,
information, such as images and metadata, which is useful to customers for different and additional purposes.
purposes. The European Data Protection Supervisor also came to the same conclusion in the above-mentioned opinion insofar as
the same conclusion in the above-mentioned opinion, in so far as it excludes Clearview from being classified
as a data controller acting on behalf of Europol (and Europol could not, therefore, use its services within the meaning of Article 6(1) of the directive),
therefore use its services within the meaning of Article 17(2) of EU Regulation 2016/7943) on the grounds that
as Clearview sells a facial recognition service fully hosted and managed
on its own platform, deciding autonomously the purposes and the essential elements of the means
of the services it offers (see EDPS Opinion on the possibility to use Clearview AI and similar services
at Europol (Case 2020-0372), p. 3).
The characteristics of the activity carried out by Clearview are already sufficient in themselves to argue that Clearview is a controller.
The characteristics of Clearview's activity are sufficient in themselves to argue that it is a controller. But those considerations also appear to be supported by the fact
fact that, until March 2021, the privacy policy published on the company's website contained a number of indisputable
a series of elements unquestionably referable to the figure of the data controller, such as
indication of the legal basis of the processing, of the rights that can be exercised by the data subjects, and of a specific
specific e-mail address that can be used for requests for information and the exercise of rights by the data
the rights of the data subject under the Regulation. This address, however, was
expressly referred to the function of data protection officer, whose appointment is the responsibility of the data controller in accordance with the provisions of the Regulation.
is the responsibility of the data controller, in accordance with the provisions of the Regulation
the rules of the Regulation governing the appointment and powers of the Data Protection Officer.
The fact that the customer who uses the platform pursues his own purposes is not relevant for the purposes of this case.
profiles that are of interest here. As clarified by the Committee for the Protection of Personal Data, if a subject
person alone decides the purposes and modalities of the operations preceding or following operations
in the processing chain, that person must be considered the sole owner of the previous or subsequent operation
preceding or succeeding operation (see the European Data Protection Board's Guidelines
07/2020 on the concepts of controller and processor in the GDPR, para. 57). Therefore, the
the circumstance that Clearview's customers may pursue purposes other than those
purposes other than those related to Clearview's business neither infringes nor is incompatible with Clearview's role as controller.
with the latter's role as data controller.
3.6 VIOLATIONS FOUND
3.6.1 ART. 5, PAR. 1 LETTERS. A), B) AND E) OF THE REGULATION
First of all, the Office contested the infringement of Article 5(1)(a) of the Regulation, which provides for the respect of the principles of lawfulness of the processing.
which provides for compliance with the principles of lawfulness, correctness and transparency in the processing of data vis-à-vis the person concerned.
the data subject.
On this point, Recital 39 of the Regulation expressly provides, inter alia, that
'it should be transparent to individuals how personal data concerning them that are collected, used, consulted or otherwise processed,
the manner in which personal data concerning them are collected, used, accessed or otherwise processed and the extent to which they are or will be processed.
personal data are or will be processed. The principle of transparency requires that information and communication
communications relating to the processing of such personal data must be easily accessible and comprehensible
understandable and that clear and plain language is used [...]'.
As stated above, in the present case, the data subjects do not have any contact with the Company.
As stated above, in the present case, the persons concerned have no contact with the Company, are not directly informed of its activities, nor are they the recipients of any information, not even by consulting the website.
not even by consulting the Clearview website.
Secondly, the Office contended that there was a breach of Article 5(1)(b) of the Regulation, which
which provides for compliance with the principle of purpose limitation which, even in the context of the balancing test
balancing test between the legitimate interests of the data controller and the rights and freedoms of the data subject (see
of the data subject (see below), is one of the key factors to be taken into account and which is embodied in the reasonable
expectations of data subjects (see Opinion 6/2014 - WP 217, p. 47) that their images could be further processed.
be subject to further processing.
In the present case, this principle does not seem to be fulfilled, also considering the absence of
relationship between the persons concerned and the company. In fact, the possible public nature of the
public nature of the images is not sufficient to suggest that the data subjects can reasonably expect them to be
facial recognition purposes, moreover by a private platform, not established in the European Union and of which the
established in the European Union and of whose existence and activity most of the persons concerned are unaware.
On the other hand, and as already stated, the very fact that the images are public does not automatically entitle Clearview to use them for facial recognition purposes.
the public nature of the images does not automatically entitle Clearview to re-use them in an unrestricted manner, as the
as the company would like to imply.
Finally, the Office contested the violation of Article 5(1)(e) of the Regulation, which
provides for compliance with the conservation principle.
There is no indication of any retention period either from an analysis of Clearview's privacy policy or from the feedback received.
Clearview's privacy policy, nor from the feedback received from the company, which was incomplete on this point, nor from the information
information contained in the complaints submitted by the interested parties.
The Company has represented that the images are collected and stored with all references
(metadata) relating to the source and the time of collection, thus creating a stratified database
This creates a database, stratified and fed in a progressive and constant manner, consisting of a series of
information linked to a certain image over time. This aspect leads to the assumption that
This aspect leads to the assumption that such information is kept indefinitely and is deleted only upon the
request of the persons concerned. Among other things, this circumstance is also a contradiction
Clearview's statement that the processed images are not always publicly
not always publicly available, as the database also contains images that have been made private or deleted from their original source.
or deleted from their original source after they have been collected by the company.
Company.
As a result of the foregoing, Clearview is deemed to have expressly infringed Article 5(1)(a), (b) and (c) of Directive 95/46/EC.
1(a), (b) and (e) of the Regulation. In particular, with reference to the obligations of transparency and
Article 5(1)(a) of the Regulation in the light of the seriousness, nature and impact of the individual
impact of the specific infringements of Articles 6, 9 and 12 to 14 of the Regulation (cf.
EDPB binding decision 1/2021).
3.6.2. ART. 6 OF THE REGULATION
According to Article 6 of the Regulation, the processing of personal data is lawful if, and to the extent that,
at least one of the conditions listed in the same article is met.
In the present case, since it is not disputed that the consent of the persons concerned has not been obtained, and
excluding the existence of the circumstances referred to in letters b), c), d) and e), it is necessary to analyse whether
the legitimate interest of the data controller, a legal basis implicitly invoked by the company, can be considered to exist
legal basis implicitly invoked by the company in so far as it equates its activity with the processing carried out by Google Search in its indexing activity.
in its indexation activity.
In this respect, it seems appropriate to recall the general position adopted on this point by
the European Committee for the Protection of Personal Data, which ruled out the possibility of a 'blanket authorisation to re-use'.
"a general authorisation to re-use and further process personal data made available to the public under the European Data Protection Board.
made available to the public under Article 7(f) [i.e., the legitimate interest of the current
Article 6(f)', allowing at most for that circumstance to be a possible factor in the balancing of interests (Article 7(f)).
element in the balancing of interests (see Opinion 6/2014 - WP217).
In the present case, the legitimate interest of the company consists of a profit motive in the face of a
intrusive in the private sphere of individuals, since it consists in the collection of
a collection of photographic data, associated with further links which are capable of revealing various aspects of the private life of individuals.
the private life of individuals. These data are also subjected to biometric
This data is also subject to biometric processing and, finally, by the company's own declaration, relates to a particularly large number of individuals, to whom the data are related.
number of subjects, to which must be added a further element of delicacy, that relating to the
the availability on the Internet of images of minors, which are also processed.
subject to processing.
In view of the foregoing, it is considered that the Company's legitimate interest in free economic
free economic initiative cannot but be affected by the rights and freedoms of the persons concerned, in particular by the serious jeopardising of the right to privacy.
in particular the serious threat to the right to privacy, the prohibition on being subjected to automated
processing and the principle of non-discrimination inherent in the processing of personal data such as that carried out by the Company.
processing of personal data such as that carried out by the Company.
In conclusion, it is considered that Clearview cannot claim any valid legal basis on which to
the lawfulness of the processing of personal data.
3.6.3 ART. 9 OF THE REGULATION
In the preceding paragraphs it has been pointed out that the processing carried out by Clearview is not
In the preceding paragraphs, it has been pointed out that the processing carried out by Clearview is not limited to a simple collection of data, but also consists of a further processing which renders the collected images 'biometric data'.
images collected as 'biometric data' and, therefore, subject to the stricter protection of art. 9 of the Regulation.
Regulation.
This article contemplates the legal regime concerning the categories of special data, providing for
a general ban on processing, subject to certain exceptions. It seems clear that the rationale of the
provision is to provide enhanced protection for certain categories of data, requiring, from the point of view of application
requiring, from the point of view of application, a combination of the guarantees of Article 6 and the rules of Article 9 of the Regulation.
of the Regulation. This also means that, in order to legitimise a processing activity, a controller
This also means that, in order to justify a processing activity, a data controller who processes special categories of data can never invoke only a legal basis under
This also means that, in order to legitimise a processing activity, a data controller who processes special categories of data can never invoke only a legal ground under Article 6, but must also apply, cumulatively, the provisions of Article 9 cited above in order to
in order to guarantee the relevant level of protection. This was expressed in Guidelines no.
8/2020 'on the targeting of social media users', the Committee for the Protection of Personal Data has expressed this view.
which reiterated that 'in addition to the conditions of Article 9 GDPR, the processing of particular
special categories of data must be based on a legal basis established in Article 6 GDPR and be
carried out in accordance with the fundamental principles set out in Article 5 GDPR'. The application
The cumulative application of the protections provided for by the articles mentioned above is also crucial to exclude
interpretations that would lead to the possibility of processing special categories of data, without
Article 6, in the presence of the exceptions set out in Article 9. As reiterated, once again, by the
Committee for the Protection of Personal Data 'it would be inappropriate to conclude, for example, that the fact that
the fact that someone has made particular categories of data manifestly public in accordance with
Article 8 [now Article 9 of the GDPR], paragraph 2(e), is (again in and of itself) a
sufficient condition to permit any kind of data processing, without carrying out a comparative test of the
balancing of the interests and rights at stake in accordance with Article 7 [now Article 6 of the GDPR],
letter f" (see Opinion 6/2014 - WP217).
In conclusion, for the reasons set out above, with regard to the processing of data carried out
processing carried out by Clearview, not only must it be considered that there is no valid legal basis under Article 6 of the
Article 6 of the Regulation, but also infringes the general prohibition on the processing of special categories of data (with reference to biometric data).
data (with reference to biometric data).
3.6.4. ARTICLES. 12, 13, 14 AND 15 OF THE REGULATION
The complaints lodged with the Authority were preceded by prior requests to the data controller to find out which data were being processed.
The complaints submitted to the Authority were preceded by the forwarding to the data controller of prior requests aimed at knowing which personal data concerning the data subjects were held by the
by the Company, as well as, in some cases, the additional information indicated in Article 15 of the Regulation.
The complainants complained, in most cases, about the lack, delay or inadequacy of the reply received and, therefore, about a lack of information.
The complainants complained, in most cases, of the lack, delay or inadequacy of the reply received and, therefore, of a breach of Article 12 of the Regulation, which governs the procedures
which the data controller must comply with, inter alia, in respect of communications following the exercise of the rights
provided for in Articles 15 to 22 by the data subject.
These circumstances were then the subject of a notice of initiation of proceedings pursuant to
These circumstances were then the subject of a communication of initiation of proceedings pursuant to Article 166(5) of the Code by the Authority, as a result of which the following emerged
as follows:
- with regard to Mr. XX and Mr. XX, all the information required under Article 166(5) of the Code was not provided in a clear and explicit manner
information required under art. 15 of the Regulation, but only a file containing the extracted
only a file containing the images extracted from the system and associated with the photograph
the photograph submitted by the persons concerned together with the identity document, referring, as regards the
the remaining requests, to a generic link to the Company's privacy policy. The response was
Moreover, the reply was given in a period exceeding the thirty days indicated in Article 12, paragraph 3, of the
Regulation and only after several reminders sent by the persons concerned;
- with regard to the complaint lodged by Mr XX, it was found that the request for data
data, such as the identification document, in order to process his request for access.
formulated by the same.
The relations between the holder of the data processing and the persons concerned, according to the indications provided by the
The relations between the data controller and the data subjects, in accordance with the
information relating to the processing carried out, as well as with reference to the communications provided
following the exercise of rights. In particular, pursuant to Article 12(2), the data controller must
the data controller must facilitate the exercise of the rights of the data subject under Articles 15 to 22 and
this with regard both to the modalities used to provide the feedback and to the timing of it
which, on the basis of the provisions of paragraph 3 of the same article, must be provided 'without undue delay and, in any event, 'without delay'.
without undue delay and, in any event, at the latest within one month of receipt of the request", subject to specific exceptions.
except in the case of specifically regulated exceptions.
In some of the cases examined by the Authority - specifically XX and XX - the persons concerned had to
In some of the cases examined by the Authority - specifically XX and XX - the data subjects had to repeat their access requests several times before receiving a reply from Clearview.
and this despite the fact that the contact channels indicated on the company's website were used (online form and
e-mail address dedicated to privacy requests).
The procedures made available by the Company for the exercise of rights were therefore neither easy nor clear, also in view of the fact that they were not followed.
neither easy nor clear, also by virtue of the overlapping of the channels indicated for making contact with it, and
contact with it, and the deadlines set out in the Regulation for providing feedback to the interested parties have not been respected, nor have they been
the specific reasons required by Article 12(4) of the Regulation have not been communicated.
The specific reasons required by Article 12(4) of the Regulation for a possible extension of that time limit have not been communicated. Furthermore
Clearview, in order to process the requests for access, has asked the interested parties for identification
such as an identity document, which is excessive in relation to the purpose pursued
since, together with that document, they were also asked to produce an image against which the data in the file could be compared.
with which to compare the data in the data controller's file.
It is true, as argued by Clearview, that Article 12(6) of the Regulation provides that 'where the controller has reasonable doubts as to the adequacy of the data to meet the purposes for which they were collected'.
has reasonable doubts as to the identity of the natural person making the request referred to in
request referred to in Articles 15 to 21, it may request further information necessary to confirm the identity of the data subject'.
the identity of the data subject', but the provision requires that such doubts be 'reasonable' in the terms also specified by Recital 64.
terms also specified in Recital 64. In the cases examined, the images requested from the
In the cases examined, the images requested from the data subjects, together with the other information provided, could be considered sufficient and, in any case, any further doubts could be
in any event, any further doubts could be overcome without necessarily requiring the annexation of the copy of the image.
any further doubts could be overcome without necessarily requiring the attachment of a copy of the identity document.
The reply to the requests for access, in particular as regards the complaints lodged by Mr XX and Mr XX,
was also partial, since no timely and transparent communication was provided with reference to the
the categories of information provided for in Article 15(1) of the Regulation, which is therefore infringed.
therefore appears to have been infringed.
The data controller, with a view to a relationship with the persons concerned based on correctness and transparency
transparency, is also required to provide some general information on the processing carried out,
identified by Articles 13 and 14 of the Regulation, which must be not only complete but also up-to-date in order to take account of the fact that the data are being processed,
updated in order to take into account all the changes that occur over time.
As specified in paragraph 3.2, Clearview has made substantial changes to the information
published on its website as from 20 March 2021, i.e. in the interim period between the
the first two complaints (XX and XX) and the next two complaints (XX and XX).
The privacy policy on the website up to that date contained a number of indications concerning the
data processing carried out by Clearview, which appeared to comply with the information content
Articles 13 and 14 of the Regulation, which, moreover, was expressly mentioned.
Even at that time, the information, although it explained various aspects of the processing carried out, appeared to be incomplete in that
the processing carried out, appeared to be partial in that it lacked crucial elements, such as the specific
such as a specific indication of the legitimate interest pursued by the data controller, or a specification of the
data of persons whose images are held in the Clearview database.
Clearview's database
And this is true both with regard to the information to be provided with reference to personal data collected
data collected directly from the data subject (see Article 13 of the Regulation), such as, for example, those of users
requesting the service and of those exercising their rights under articles 15-22, and with reference to personal data
reference to personal data collected through other sources and then processed by the company (see Art. 14 of the
Regulation).
Following the actions taken by various European supervisory authorities, the Company has,
by its own affirmation made during the proceedings, modified the information on the website
Company has, by its own statement made in the course of the proceedings, amended the information on the website, removing from it all references to the European Data Protection Regulation and eliminating entire sections of the website.
protection of data and also eliminating entire sections which, in substance, integrated the implementation of what was
(e.g. the explicit indication of the legal bases of the processing or the indication of the rights exercised by the data subject).
or the indication of the rights that can be exercised by the data subjects and which were based on those set out in Articles.
15-22 of the Regulation).
The current privacy policy continues to provide for the possibility for the interested parties to know the
The current privacy policy continues to provide for the possibility for the interested parties to know the information concerning them or to obtain its deletion, but in the context of what is provided for by the
applicable in California (see the California Consumer Privacy Act (CCPA) and California Civil
California Civil Code of 1798 cited in the information notice) and therefore in different terms from those
European Regulation.
For example, a restriction has been included - not provided for in the European legislation or at least not
not provided for in the European legislation, or at least not in the manner indicated by the data controller, to the number of access requests that the data subject
the data subject may make within a period of twelve months has been limited to two.
The deadlines for responding to the requests are also different from and longer than those
Article 12(3) of the Regulation, providing that if it is impossible for the data controller to comply with them, he must simply be informed of the fact that he is not in a position to reply.
to comply with them must simply be communicated to the data subject without indicating the specific
conditions under which the postponement could be considered legitimate.
Finally, the exercise of the right of access is subject to the provision by the data subject of an identity document.
Finally, the exercise of the right of access is subject to the provision by the data subject of an identity document, while in the case of the exercise of the right of deletion, there is the
possibility for the data controller not to comply with it if, in the specific case, one of the exceptions indicated by the provisions of the CCPA is applicable.
of the exceptions indicated in the provisions of the CCPA, which are not mentioned.
On the basis of the findings, it must therefore be held that there has been an infringement of Articles 12, 15, 13 and
14 of the Regulation.
3.6.5. ARTICLE 27 OF THE REGULATION
Article 27 of the Regulation provides that, where Article 3(2) applies, the data controller is required to
designate in writing a representative in the European Union, who must be established in one of the Member States in which the data are processed.
of the Member States in which the data subjects whose data are processed in the context of the supply of
services are located or whose behaviour is monitored and who acts as an interlocutor, in particular for the
authorities and data subjects for all matters concerning the processing.
In the present case, the overall assessment of the circumstances set out above leads to the conclusion that the following conditions are met
the conditions for the applicability of Article 3(2) of the Regulation have been met; Clearview processes personal data
Clearview processes personal data of data subjects located in the Union and its processing activities are related to the
the provision of services to European users, as well as the monitoring of the behaviour of individuals who are
in the territory of the Union.
The Company is therefore obliged to designate, by means of a written mandate, a representative in the
The Company is therefore obliged to designate, by means of a written mandate, a representative in the territory of the European Union who will be responsible for interacting on its behalf with respect to the obligations
obligations deriving from the Regulation, also with regard to cooperation with the Control Authority.
Authority.
Failure to do so constitutes a breach of Article 27 of the Regulation.
3.6.6. ARTICLE 22 OF THE REGULATION
In the notice of initiation of the procedure pursuant to Article 166 of the Code notified on 22 April 2021
the Office also contested the alleged violation of Article 22 of the Regulation, considering that the processing carried out by the
treatment carried out by the Company could imply the possibility of making decisions, even partially automated, capable of
even partially automated, capable of producing significant effects with regard to the rights of the persons concerned.
parties concerned. The preliminary investigation did not reveal any evidence of such violation.
violation. In fact, the Company has not provided any specific feedback on this profile and no technical elements are currently available.
The Company has not, in fact, provided any specific evidence regarding this profile and no technical system elements are currently available that could corroborate the thesis of the existence of automated processing.
existence of automated processing. It should also be noted that Article 22 provides for the right not to be
not to be subjected to a decision based solely on automated processing, but, from what
from what emerged during the preliminary investigation phase, such a decision seems at most to be taken by the customers of the service
service offered by Clearview and not by the Company, which has implemented and made available to third parties its
facial recognition system to third parties.
From this point of view, it is therefore considered that there are no grounds for considering that there has been a
violation of article 22 of the Regulation.
CONCLUSIONS
In the light of the above assessments, we therefore confirm that most of the Office's
of the objections of the Office notified with the act of initiation of the procedure and the unlawfulness of the personal data
processing of personal data carried out by the Company, in violation of Articles 5(1)(a), (b) and (e)
e), 6, 9, 12, 13, 14, 15 and 27 of the Regulation.
The violation of the aforementioned provisions also makes the administrative sanction
The violation of the aforementioned provisions also renders applicable the administrative sanction foreseen by art. 83, par. 5, of the Regulation, pursuant to articles 58, par. 2, letter i), and 83, par. 3, of the Regulation and art. 166, par. 3, of the Regulation.
Article 58(2)(i) and Article 83(3) of the Regulation and Article 166(2) of the Code.
4. CORRECTIVE MEASURES
Article 58(2) provides the Garante with a series of corrective powers of a prescriptive and sanctioning nature, to be exercised in the event of a breach of the law.
to be exercised in the event of unlawful processing of personal data.
personal data is ascertained.
Among these powers, Art. 58, para 2, letter f) of the Regulation provides for the power to "impose a temporary or definitive
temporary or definitive restriction on processing, including prohibition of processing'.
In the light of the foregoing, given that the processing of personal data carried out by Clearview is
Clearview's processing of personal data is in breach of the principles of the Regulation, of the rules which those
principles of the Regulation, the rules that those principles specify, in particular those on the legal basis, and the rules on the rights of the
of the data subjects' rights, which are the cornerstone of the Regulation, it is necessary, pursuant to Art.
58(2)(f) of the Regulation, it is necessary to provide for a prohibition of the processing, consisting in i) prohibition of further
further collection, by means of web scraping techniques, of images and related metadata concerning
(i) prohibition of further collection, by means of web scraping techniques, of images and related metadata concerning persons who are on the Italian territory
common and biometric data processed by the Company through its facial recognition system relating to persons who are on Italian territory
facial recognition system relating to persons who are on Italian territory.
Pursuant to article 58, paragraph 2, letter g) of the Regulation, it is also necessary, in order to make
effective protection of the numerous persons concerned by the processing carried out by the Company, it is also necessary to provide for a
general order for the deletion of the aforementioned data, without prejudice to the obligation to provide
timely response to requests for the exercise of the rights referred to in Articles 15-22 of the Regulation which
which may have been received in the meantime from interested parties. In the latter
In the latter cases, in order to facilitate the exercise of rights by the parties concerned, the response must be
In the latter cases, in order to facilitate the exercise of the rights of the persons concerned, the response must be provided in accordance with the timeframe and procedures set out in Article 12(3) of the Regulation.
Pursuant to art. 58, par. 2, letter d), of the Regulation the Company is also ordered to designate
within thirty days from the notification of the measure, a representative in the Italian territory who
act as an interlocutor, in addition to or in place of the data controller, with the interested parties in order to
facilitate the exercise of their rights.
Pursuant to Articles 58(1)(a) of the Regulations and 157 of the Code, the Company shall
communicate to this Authority, providing adequately documented feedback, within thirty
days from the notification of this measure, the initiatives taken in order to implement the above
the above order pursuant to the aforementioned art. 58, par. 2, letter f), as well as any measures put in place to facilitate the exercise of the rights of the user.
implemented to facilitate the exercise of the rights of the persons concerned.
5. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE SANCTION
PECUNIARY SANCTION AND ACCESSORY SANCTIONS
Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166 of the Code, the Data Protection Authority has the power to impose pecuniary administrative sanctions and ancillary sanctions.
The Supervisor, pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166 of the Code, has the power to impose a pecuniary administrative sanction pursuant to Article 83, in addition to or instead of the other corrective measures.
in addition to or instead of the other corrective measures provided for in the same paragraph.
In such a case, the Garante shall adopt the injunction order by which it shall also order the
the application of the accessory administrative sanction of its publication, in full or in part, on the
on the website of the Garante pursuant to Article 166, paragraph 7, of the Code" (Article 16, paragraph 1, of the
1, of the Guarantor's Regulation No. 1/2019).
In the present case, taking into account the provision of Article 83(3) of the Regulation, it is
first of all, it is established that the most serious breach must be identified in the sanction provided for in
Article 83(5) of the Regulation, which sets the maximum fine at EUR 20 million or, in the case of undertakings, at 4% of their worldwide turnover.
companies, 4% of the annual worldwide turnover in the preceding business year, whichever is the greater.
Pursuant to Article 83(1) of the Regulation, the administrative penalty must be effective,
proportionate and dissuasive in relation to the individual case.
Pursuant to Article 83(2) of the Regulation, the decision on the determination and quantification of the amount of the fine must be effective, proportionate and dissuasive in relation to the individual case.
quantification of the amount of the sanction, in order for it to be effective, proportionate and dissuasive, is to be decided in accordance with Article 83(2) of the regulation,
proportionality and dissuasiveness, the decision must be taken in the light of a series of factors listed in paragraph 2(a).
paragraph 2(a)-(k).

In order to determine the amount of the sanction in this case, account must be taken of the factors referred to in
In order to determine the amount of the fine in this case, account must be taken of the factors referred to in Article 83(2) of the regulation, which in this case may be considered to be the following
can be considered in the following terms
1. nature of the data processed;
2. seriousness and duration of the breach
3. number of subjects involved;
4. degree of responsibility of the data controller;
5. measures adopted by the data controller;
6. degree of cooperation with the supervisory authority.
In relation to the nature of the data, account should be taken of the fact that the processing relates to
special categories of data, in particular biometric data, - possibly also of
minors - in respect of which the data protection framework provides for a higher level of protection.
provides for a higher level of protection.
As regards the seriousness of the infringements, it is noted that Clearview has violated Articles 6 and 9 of the
Articles 6 and 9 of the Regulation, which are the conditions of lawfulness and thus the fundamental requirements for the
processing within the meaning of the Regulation. An unlawful processing of biometric data for the purpose of
facial recognition purposes must, moreover, be considered a very serious infringement given the position
position taken by the European and Italian legislators on the unlawfulness of this type of activity which
which constitutes mass surveillance. Moreover, the violations do not constitute an isolated event since the
The violations, moreover, do not constitute an isolated event, since the processing carried out by the Company is systematic and has continued even after the service has ceased to be provided.
even after the service was no longer offered to customers established in the European Union.
As regards the number of persons involved, the figure is not precisely quantifiable, but considering
but considering that the collection of images was carried out using web scraping techniques, it is reasonable to assume that a high number of people were involved.
a very high number of persons involved, potentially all natural persons who are in Italy and who are not
individuals who are in Italy and are present on the Internet, through accounts on social network services or other publicly accessible
network services or other publicly accessible sources that portray them for personal or professional reasons.
professional reasons.
The degree of liability of the data controller is very high as the unlawful processing activity has not only
not only has the unlawful processing continued despite the intervention of numerous data protection authorities (European and
(European and non-European), but also because its legitimacy is being strongly asserted through the
denial of European, and in particular Italian, jurisdiction.
Notwithstanding the above-mentioned interventions of other authorities and the objections raised by the Garante in the
two acts of initiation of proceedings under Article 166 of the Code, the Company has not adopted any measures to
adopted no measures to bring its activities into line with the Regulation and, on the contrary, decided to amend it,
March 2021, its privacy policy by eliminating any reference to it.
to it.
Lastly, with reference to the degree of cooperation, it should be noted that the Company, despite having
formally replied to the request for information and to the two objections pursuant to Article 166 of the Code, in the
of the Code, the Company, while formally replying to both the request for information and the two objections pursuant to art. 166 of the Code, has maintained and reiterated the inapplicability of the Regulation to the
The only mitigating factor was that the company did not provide any information.
The only mitigating factor is the lack of previous violations committed by the data controller or previous measures to which the
The only mitigating factor is the lack of previous infringements committed by the data controller or previous measures pursuant to Article 58 of the Regulation.
In view of the above elements, assessed as a whole, in the absence of data relating to the total annual worldwide turnover
turnover of the Company in the previous financial year, it is deemed to determine, pursuant to
Article 83(3) of the Regulation, the amount of the fine for the infringement of Article 5(1) of the Regulation.
articles 5, paragraph 1, letters a), b) and e), 6, 9, 12, 13, 14, 15 and 27, to an amount equal to the maximum fine provided for by art. 83, paragraph 1, letters a), b) and e), 6, 9, 12, 13, 14, 15 and 27.
Article 83(5) of the Regulation, considered to be the most serious infringement, i.e. a total of EUR 20 million (in detail, EUR 3 million in total).
million (in detail, €3.8 million for each infringement of Articles 5, 6 and 9 of the Regulation
Articles 5, 6 and 9 of the Regulation; EUR 2 million for each violation of Articles 12, 13, 14 and 15 of the
2 million for each violation of articles 12, 13, 14 and 15 of the Regulation; 600,000 thousand euros for the violation of article 27 of the Regulation).
This pecuniary administrative sanction is considered, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.
Article 83(1) of the Regulation as effective, proportionate and dissuasive.
Taking into account the particular sensitivity of the data processed, it is also considered that the
ancillary sanction of the publication of this measure on the website of the Garante, as provided for by art. 166, paragraph 7.
Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Guarantor no. 1/2019.
Please note that under Article 170 of the Code, anyone who, being obliged to do so, does not comply with
this provision prohibiting the processing of personal data shall be punished by imprisonment of from three months to two years.
years and that, in the event of failure to comply with the same measure, the sanction referred to in
the sanction referred to in Article 83(5)(e) of the Regulation.
Lastly, the conditions set forth in Article 17 of Regulation no. 1/2019 are deemed to be met
concerning internal procedures with external relevance, aimed at the performance of the tasks
and the exercise of the powers entrusted to the Garante, for the annotation of the violations detected herein in the
Authority's internal register, provided for in Article 57(1)(u) of the Regulation.
ALL THE FOREGOING THE GUARANTOR
Pursuant to Article 57(1)(f) of the Regulation, declares the processing described to be unlawful
in the terms described in the grounds by Clearview AI, with registered office at 214 W 29th St, 2nd
floor, New York City, NY, 10001, U.S.A. and consequently:
(a) pursuant to Article 58(2)(f) of the Regulation, prohibit the continuation of the
further processing and collection, by means of web scraping techniques, of images and relevant
metadata concerning persons on Italian territory and the prohibition of any further processing of the data, whether common or not, by means of web scraping techniques.
processing of common and biometric data processed by the Company through its facial recognition system, in relation to
facial recognition system, relating to persons who are on Italian territory; and
Italian territory;
b) pursuant to Article 58(2)(g) of the Regulation, order the deletion of the data,
and biometric data processed by the Company through its facial recognition system concerning
facial recognition system relating to persons who are on Italian territory, without prejudice to the obligation to provide
timely response to requests to exercise the rights under Articles 15-22 of the Regulation
that may be received from interested parties in accordance with art. 12,
(3) of the Regulation.
c) Pursuant to Article 58(2)(d) of the Regulation, orders the Company, within thirty days of notification of the measure, to
days from the notification of the measure, to designate a representative in the territory of the
European Union to act as an interlocutor, in addition to or in place of the data controller, with the
the persons concerned in order to facilitate the exercise of their rights.
ORDER
Clearview AI, with registered office at 214 W 29th St, 2nd floor, New York City, NY, 10001, U.S.A. to
to pay the sum of EUR 20 million by way of an administrative fine for the infringements referred to in
violations indicated in the grounds, stating that the offender, pursuant to art.
166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfilment of the
the prescriptions given and the payment, within the term of sixty days, of an amount equal to half of the
half of the sanction imposed.
INITIATES
the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166,
paragraph 8, of the Code, to pay the sum of twenty million euros, according to the modalities indicated
annexed hereto, within 30 days from the notification of this measure, under penalty of the adoption of the
the consequent executive measures pursuant to article 27 of law no. 689/1981.
PROVISIONS
a) pursuant to Article 17 of the Regulation of the Guarantor no. 1/2019, the annotation in the register
Authority's internal register, as provided for by Article 57(1)(u) of the Regulation, of the violations and
the measures adopted;
b) pursuant to Article 166, paragraph 7, of the Code, the publication in full of this
provision on the website of the Garante.
Pursuant to Section 58(1)(a) of the Regulation, the Garante invites the data controller to
to communicate within 30 days from the date of receipt of this measure, which
initiatives have been taken in order to implement the provisions of this provision, providing
measure, providing adequately documented feedback. Please note that failure to
failure to reply to the request pursuant to art. 58 is punished with the administrative sanction of
Article 83(5)(e) of the Regulation.
Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no.
September 2011, no. 150, an objection may be lodged against this measure with the
to the ordinary judicial authority, by means of an appeal lodged with the ordinary court of the place where the
of the place where the data controller resides, or, alternatively, to the court of the place of residence of the data subject.
place of residence of the data subject, within a period of 30 days from the date of
communication of the measure, or 60 days if the appellant resides abroad.
abroad.
Rome, 10 February 2022
THE PRESIDENT
Stanzione
THE REPORTER
Scorza
THE SECRETARY GENERAL
Mattei