DSB (Austria) - 2022-0.277.156: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2022-0.277.156 |ECLI= |Original_Source_Name_1=DSB |Original_Source_Link_1=https://noyb.eu/sites/default/files/2023-05/Clearview%2520Decision%2520Redacted.pdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_L...")
 
No edit summary
Line 67: Line 67:
=== Facts ===
=== Facts ===
A data subject requested the controller – Clearview AI – to erase their personal data. Clearview is a US-based company whose business consists in scraping the web to collect pictures from several sources, finding correlations between pictures through AI and indexing them. The database created in this way is accessible to Clearview’s clients by uploading a picture of the persons the clients are looking for. In this way clients have access to other pictures and related URLs.
A data subject requested the controller – Clearview AI – to erase their personal data. Clearview is a US-based company whose business consists in scraping the web to collect pictures from several sources, finding correlations between pictures through AI and indexing them. The database created in this way is accessible to Clearview’s clients by uploading a picture of the persons the clients are looking for. In this way clients have access to other pictures and related URLs.
The data subject lodged a complaint with the Austrian DPA, which is competent as Clearview has no establishment in the EU. According to the data subject, the controller unlawfully processed personal data without a legal basis in violation of Articles 6(1) and 9(2) GDPR. The controller also violated the principle of purpose limitation and 27(2) GDPR, as it did not establish a representative in the EU. The data subject asked the Austrian DPA not only to force the controller to erase their data, but also to prevent the controller from processing personal data of other people living in the EU.
The data subject lodged a complaint with the Austrian DPA, which is competent as Clearview has no establishment in the EU. According to the data subject, the controller unlawfully processed personal data without a legal basis in violation of Articles 6(1) and 9(2) GDPR. The controller also violated the principle of purpose limitation and 27(2) GDPR, as it did not establish a representative in the EU. The data subject asked the Austrian DPA not only to force the controller to erase their data, but also to prevent the controller from processing personal data of other people living in the EU.
The controller claimed that GDPR was not applicable, as Clearview had no establishment in the EU, did not offer good or services in the EU, nor monitored people in the EU. The controller claimed that Clearview’s search tool gave access to less personal data than a search on general search engines. The controller did not analyse behaviour of data subjects whose picture were collected, nor profiled them in any way. The controller did not track users’ activities on the Internet, either.  
The controller claimed that GDPR was not applicable, as Clearview had no establishment in the EU, did not offer good or services in the EU, nor monitored people in the EU. The controller claimed that Clearview’s search tool gave access to less personal data than a search on general search engines. The controller did not analyse behaviour of data subjects whose picture were collected, nor profiled them in any way. The controller did not track users’ activities on the Internet, either.  
The data subject replied that a series of linked pictures was nothing else than another form of monitoring Moreover, the scraping and indexing of new pictures relating to individuals was continuous: as soon as a new photo popped up on the internet, it was collected by the controller to update this monitoring. A comparison with general search engines was incorrect, as the controller used a biometric criterion and the search produced only pictures of that individual. By contrast, typing a person’s name on search engines like Google gives access also to information that is not related to that individual.
The data subject replied that a series of linked pictures was nothing else than another form of monitoring Moreover, the scraping and indexing of new pictures relating to individuals was continuous: as soon as a new photo popped up on the internet, it was collected by the controller to update this monitoring. A comparison with general search engines was incorrect, as the controller used a biometric criterion and the search produced only pictures of that individual. By contrast, typing a person’s name on search engines like Google gives access also to information that is not related to that individual.


=== Holding ===
=== Holding ===
Ascertaining the applicability of the GDPR at the facts at issue, the Austrian DPA addressed the question whether [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]] covered the processing activities undertaken by the controller. The DPA highlighted that [[Article 3 GDPR#2|Article 3(2) GDPR]] is very broad in its formulation: not only processing activities directly aiming at monitoring, but also processing activities “related to the monitoring” are covered. According to the supervisory authority, both profiling and tracking fall within the category of “monitoring”. For these reasons, the controller was subject to the GDPR.
Ascertaining the applicability of the GDPR at the facts at issue, the Austrian DPA addressed the question whether [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]] covered the processing activities undertaken by the controller. The DPA highlighted that [[Article 3 GDPR#2|Article 3(2) GDPR]] is very broad in its formulation: not only processing activities directly aiming at monitoring, but also processing activities “related to the monitoring” are covered. According to the supervisory authority, both profiling and tracking fall within the category of “monitoring”. For these reasons, the controller was subject to the GDPR.
The Austrian DPA found that the controller violated the principle of purpose limitation as the purpose for which Clearview processed personal data was different from the purposes for which data were published on the internet.
The Austrian DPA found that the controller violated the principle of purpose limitation as the purpose for which Clearview processed personal data was different from the purposes for which data were published on the internet.
The controller also violated the principles of fairness and transparency – [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] – since the data subject could not expect that their data were disclosed to Clearview’s clients, most notably law enforcement agencies. [[Article 9 GDPR|Article 9 GDPR]] was also violated by processing special categories of data – and more precisely biometric data – outside of the cases provided for by this provision.  
 
The controller also violated the principles of fairness and transparency – [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] – since the data subject could not expect that their data were disclosed to Clearview’s clients, most notably law enforcement agencies. [[Article 9 GDPR]] was also violated by processing special categories of data – and more precisely biometric data – outside of the cases provided for by this provision.  
 
The processing was therefore unlawful and the Austrian DPA ordered the controller to delete the data subject’s pictures. However, the Austrian DPA did not impose a ban on Clearview activities in the EU pursuant to [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]], considering the deletion sufficient to enforce the regulation. As a matter of fact, the data subject had no subjective right to ban.
The processing was therefore unlawful and the Austrian DPA ordered the controller to delete the data subject’s pictures. However, the Austrian DPA did not impose a ban on Clearview activities in the EU pursuant to [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]], considering the deletion sufficient to enforce the regulation. As a matter of fact, the data subject had no subjective right to ban.



Revision as of 13:39, 22 May 2023

DSB - 2022-0.277.156
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 3(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.05.2023
Published:
Fine: n/a
Parties: Clearview AI
National Case Number/Name: 2022-0.277.156
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: mg

The Austrian DPA found that Clearview AI’s processing activities violated the GDPR. Nevertheless, it did not impose a fine nor ordered the controller to stop the processing.

English Summary

Facts

A data subject requested the controller – Clearview AI – to erase their personal data. Clearview is a US-based company whose business consists in scraping the web to collect pictures from several sources, finding correlations between pictures through AI and indexing them. The database created in this way is accessible to Clearview’s clients by uploading a picture of the persons the clients are looking for. In this way clients have access to other pictures and related URLs.

The data subject lodged a complaint with the Austrian DPA, which is competent as Clearview has no establishment in the EU. According to the data subject, the controller unlawfully processed personal data without a legal basis in violation of Articles 6(1) and 9(2) GDPR. The controller also violated the principle of purpose limitation and 27(2) GDPR, as it did not establish a representative in the EU. The data subject asked the Austrian DPA not only to force the controller to erase their data, but also to prevent the controller from processing personal data of other people living in the EU.

The controller claimed that GDPR was not applicable, as Clearview had no establishment in the EU, did not offer good or services in the EU, nor monitored people in the EU. The controller claimed that Clearview’s search tool gave access to less personal data than a search on general search engines. The controller did not analyse behaviour of data subjects whose picture were collected, nor profiled them in any way. The controller did not track users’ activities on the Internet, either.

The data subject replied that a series of linked pictures was nothing else than another form of monitoring Moreover, the scraping and indexing of new pictures relating to individuals was continuous: as soon as a new photo popped up on the internet, it was collected by the controller to update this monitoring. A comparison with general search engines was incorrect, as the controller used a biometric criterion and the search produced only pictures of that individual. By contrast, typing a person’s name on search engines like Google gives access also to information that is not related to that individual.

Holding

Ascertaining the applicability of the GDPR at the facts at issue, the Austrian DPA addressed the question whether Article 3(2)(b) GDPR covered the processing activities undertaken by the controller. The DPA highlighted that Article 3(2) GDPR is very broad in its formulation: not only processing activities directly aiming at monitoring, but also processing activities “related to the monitoring” are covered. According to the supervisory authority, both profiling and tracking fall within the category of “monitoring”. For these reasons, the controller was subject to the GDPR.

The Austrian DPA found that the controller violated the principle of purpose limitation as the purpose for which Clearview processed personal data was different from the purposes for which data were published on the internet.

The controller also violated the principles of fairness and transparency – Article 5(1)(a) GDPR – since the data subject could not expect that their data were disclosed to Clearview’s clients, most notably law enforcement agencies. Article 9 GDPR was also violated by processing special categories of data – and more precisely biometric data – outside of the cases provided for by this provision.

The processing was therefore unlawful and the Austrian DPA ordered the controller to delete the data subject’s pictures. However, the Austrian DPA did not impose a ban on Clearview activities in the EU pursuant to Article 58(2)(f) GDPR, considering the deletion sufficient to enforce the regulation. As a matter of fact, the data subject had no subjective right to ban.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.