AN - 2185/2021: Difference between revisions
From GDPRhub
No edit summary |
|||
| (14 intermediate revisions by 4 users not shown) | |||
| Line 4: | Line 4: | ||
|Court-BG-Color= | |Court-BG-Color= | ||
|Courtlogo=Courts_logo1.png | |Courtlogo=Courts_logo1.png | ||
|Court_Abbrevation= | |Court_Abbrevation= AN | ||
|Court_Original_Name=Audiencia Nacional - Sala de lo Contencioso-Administrativo | |Court_Original_Name=Audiencia Nacional - Sala de lo Contencioso-Administrativo | ||
|Court_English_Name=National Court - Chamber of the Contentious-Administrative | |Court_English_Name=National Court - Chamber of the Contentious-Administrative | ||
|Court_With_Country= | |Court_With_Country= AN (Spain) | ||
|Case_Number_Name= | |Case_Number_Name=2185/2021 (Appeal number - Número de Recurso) | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=Audiencia Nacional - Sala | |Original_Source_Name_1=Audiencia Nacional - Sala de lo Contencioso-Administrativo | ||
|Original_Source_Link_1=https://gdprhub.eu/images/ | |Original_Source_Link_1=https://gdprhub.eu/images/4/41/0002185-2021_Redacted.pdf | ||
|Original_Source_Language_1=Spanish | |Original_Source_Language_1=Spanish | ||
|Original_Source_Language__Code_1=ES | |Original_Source_Language__Code_1=ES | ||
| Line 21: | Line 21: | ||
|Original_Source_Language__Code_2= | |Original_Source_Language__Code_2= | ||
|Date_Decided= | |Date_Decided=27.06.2024 | ||
|Date_Published= | |Date_Published= | ||
|Year=2024 | |Year=2024 | ||
| Line 51: | Line 51: | ||
|Party_Link_3= | |Party_Link_3= | ||
|Appeal_From_Body=AEPD | |Appeal_From_Body=AEPD (Spain) | ||
|Appeal_From_Case_Number_Name=E/04461/2021 | |Appeal_From_Case_Number_Name=E/04461/2021 | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
| Line 69: | Line 69: | ||
=== Facts === | === Facts === | ||
Clearview AI Inc. (the controller) is a | Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images. | ||
In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form. | In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form. | ||
On 10 March 2021 | On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of [[Article 3 GDPR#(2) Activity in the Union|Article 3(2) GDPR]]. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case. | ||
The data subject initiated proceedings before the Administrative Chamber of Spain’s ''Audiencia Nacional'' (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data surveilling their behaviour, bringing it within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. Specifically, the data subject claimed that the controller processed photographs “''through specific technical means allowing the unique identification or authentication of a natural person''”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s decision be annulled and that the Court: | |||
# Order the AEPD to recognize its competence to resolve the complaint and that, in consequence, the complaint be dealt with. | |||
# Order the AEPD to initiate sanctioning proceedings for infringements of Articles 6, 9, 14, 15 and 17 GDPR. | |||
# Order the AEPD to recognize its competence to resolve the complaint. | |||
# Order the AEPD to initiate sanctioning proceedings | |||
=== Holding === | === Holding === | ||
The Court partially upheld | The Court partially upheld the appeal. In relation to the first request, it found that the Spanish DPA was competent to resolve the complaint under the GDPR. Therefore, it must admit and handle the data subject’s complaint. The Court declared the second request inadmissible because the data subject did not have a subjective right nor a legitimate interest to request the Court to order a DPA to sanction a controller. | ||
===== Request to Order the AEPD to Initiate Sanctioning Proceedings ===== | ===== Request to Order the AEPD to Initiate Sanctioning Proceedings ===== | ||
The Court | The Court declared the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings inadmissible. | ||
The Court reiterated the Supreme | The Court reiterated the jurisprudence of the ''Tribunal Supremo'' (Supreme Court) noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. In data protection matters the sanctioning power is entrusted solely to the public administration – in this case, the AEPD. As a result, data subjects cannot challenge DPA decisions in a sanctioning procedure, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. Administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration (among others, [https://www.poderjudicial.es/search/AN/openDocument/8da9e7069a81151f/20091022 Judgement of the Supreme Court of 6 October 2009, no. 4.712/2005]). | ||
Because of this reasoning, the Court declared the request inadmissible. | |||
===== Request to Order the AEPD to Resolve the Complaint ===== | ===== Request to Order the AEPD to Resolve the Complaint ===== | ||
In contrast to its previous findings, the Court held that a data subject can challenge a decision issued in a procedure for the protection of rights where an authority does not admit the complaint filed. It found that the AEPD was competent and is, thus, obligated to handle the complaint. | |||
The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, | The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, falls within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. According to the Court, [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]] does not mean that processing must have the purpose of controlling the behavior of the data subjects; it only requires that the processing be ‘linked’ to such a purpose. | ||
In particular, the Court relied heavily on the French DPA’s (CNIL) | In particular, the Court relied heavily on the [[CNIL (France) - MED-2021-134|French DPA’s (CNIL) decision of 26 November 2021]], in which it identified Clearview as falling within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. The CNIL had considered the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. According to the CNIL, Clearview's services allow for identifying, finding information on and creating a detailed profile about an individual. It can therefore be considered to be related to the monitoring of the behaviour of data subjects. The Court also noted that the [[Garante per la protezione dei dati personali (Italy) - 9751362|Italian DPA (Garante) had fined Clearview AI € 20 million]], prohibited further processing and ordered it to designate a representative in the EU. The Court agreed with the CNIL and the Garante that the processing falls within the scope of the GDPR and that the AEPD is thus competent to resolve the complaint of the data subject. | ||
For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and | For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and handle the complaint. | ||
== Comment == | == Comment == | ||
'' | The judgement of the ''Audiencia Nacional'' is in line with several decisions of European data protection authorities ([[DSB (Austria) - 2022-0.277.156|Austria]], [[CNIL (France) - SAN-2022-019|France]], [[HDPA (Greece) - 35/2022|Greece]], [[Garante per la protezione dei dati personali (Italy) - 9751362|Italy]], [https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/05/ico-fines-facial-recognition-database-company-clearview-ai-inc/ UK]). It corrects the AEPD's stance and, indirectly, contributes to a uniform approach throughout the European Union (and beyond) regarding Clearview. | ||
== Further Resources == | == Further Resources == | ||
| Line 107: | Line 107: | ||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision == | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
<pre> | |||
Resource No.: 0002185/2021 | |||
NATIONAL AUDIENCE | |||
Contentious-Administrative Chamber | |||
FIRST SECTION | |||
Resource No.: 0002185/2021 | |||
Type of Appeal: ORDINARY PROCEDURE | |||
General Registry No.: 19167/2021 | |||
Demanding: N.N | |||
Attorney: N.N | |||
Respondent: SPANISH DATA PROTECTION AGENCY | |||
State Attorney | |||
Speaker IImo. Mr.: N.N. | |||
S E N T E N C I A Nº: | |||
IImo. Mr. President: | |||
N.N. | |||
Ilmos. Messrs. Magistrates: | |||
N.N. | |||
N.N. | |||
N.N. | |||
Madrid, June twenty-seven, two thousand twenty-four. | |||
Seen by the Chamber, made up of the Magistrates related to the margin, | |||
the records of the contentious-administrative appeal number 2,185/21, filed by the | |||
Attorney of the Courts N.N., in the name and | |||
representation of N.N., against the resolution of 1 | |||
September 2021 from the Director of the Spanish Data Protection Agency, | |||
which agreed to file the claim filed against Clearview AI | |||
INC., relapsed in file E/04461/2021. The ADMINISTRATION has been part | |||
OF THE STATE. The amount of the resource was set at undetermined. | |||
1 | |||
Resource No.: 0002185/2021 | |||
FACTUAL BACKGROUND | |||
FIRST.- The appeal is admitted and the appropriate procedures have been carried out | |||
procedural matters, transfer was granted to the plaintiff so that, within the term of | |||
twenty days to formalize the demand, which was carried out in writing | |||
presented on December 20, 2021 in which, after presenting the facts and | |||
foundations of law that he considered appropriate, he ended up requesting that a | |||
judgment by which “WITH APPROVAL OF THIS APPEAL is annulled, | |||
revoke and annul the appealed resolution and, consequently: | |||
(i) the AEPD is ordered to recognize its competence to resolve the | |||
claim presented by my client and, consequently, proceed to the | |||
processing it until its resolution; and | |||
(ii) the AEPD is ordered to proceed with the initiation of the procedures | |||
administrative procedures that correspond to the imposition on Clearview of how many | |||
Sanctions may be appropriate based on the aforementioned infractions. | |||
of articles 6, 9, 14, 15 and 17 of the GDPR”. | |||
SECOND.- Once the demand was formalized, it was transferred to the party | |||
defendant to respond within twenty days, which he did | |||
through the pertinent writing, alleging the facts and legal bases that | |||
deemed pertinent, requesting that “a ruling be issued declaring the | |||
inadmissibility of this appeal or, alternatively, it is dismissed, confirming | |||
the contested administrative act.” | |||
THIRD.- By Order of July 11, 2022, it was agreed to receive | |||
proof of the appeal, admitting the documentary evidence proposed by the party | |||
actor. And, there being no more evidence to perform, the period of ten days was granted | |||
to the parties for the formulation of conclusions. Once presented the | |||
corresponding writings, the actions were pending voting and ruling, | |||
which was scheduled for June 25 of the current year, the date on which it took place. | |||
WITH THE EXHIBITION MAGISTRATE BEING SPEAKER. N.N. | |||
FOUNDATIONS OF LAW | |||
FIRST.- The plaintiff challenges the resolution of September 1, 2021 | |||
of the Director of the Spanish Data Protection Agency, by which it was agreed | |||
the file of the claim filed against Clearview AI INC., falling on the | |||
file E/04461/2021. | |||
2 | |||
Resource No.: 0002185/2021 | |||
From the data in the file, the following are proven | |||
facts relevant to issuing the resolution at hand: | |||
A) Clearview AI INC. is a company based in the United States of | |||
America founded in 2017, facial recognition platform that allows users | |||
Users upload an image of a person's face and track, based on the | |||
physical match, other photos of that person's face collected from the Internet. | |||
In his own words, the platform “includes the largest database | |||
known from more than ten billion facial images from sources | |||
public-only websites, including media outlets, mugshot websites, | |||
public social networks and other open sources.” | |||
B) On February 14, 2020, the appellant here requested Clearview to exercise, | |||
among others, access rights (art. 15 of Regulation (EU) 2016/679 | |||
of the European Parliament and of the Council of 27 April 2016 on the | |||
protection of natural persons with regard to data processing | |||
personal data and the free circulation of these data, hereinafter RGPD), and opposition | |||
(art. 21 of the GDPR), with respect to personal data processed by the latter as | |||
data controller on the basis of art. 14.1 c) of the GDPR. For this, it | |||
addressed to the email address privacy@clearview.ai indicated for this purpose | |||
by Clearview on their website https://www.clearview.ai/. | |||
C) Since the plaintiff did not receive a response, he repeated the request two more times. | |||
of rights through the same system, on September 13, 2020 and 28 | |||
January 2021 | |||
On January 29, 2021, Clearview urged the appellant to exercise his rights | |||
through the form on the Web, which was done on January 30, 2021. | |||
D) Upon not receiving a response, on March 1, 2021, the plaintiff repeated, for | |||
fifth time, the request to exercise your rights, this time through Email | |||
electronic. | |||
On March 8, 2021, the appellant received an email from Clearview | |||
urging you, again, to request the exercise of your rights through the form | |||
included on the website | |||
E) The plaintiff presented a claim on March 10, 2021 against | |||
Clearview AI INC. before the Spanish Data Protection Agency for infringement | |||
of the arts. 15, 17 and 21 of the GDPR. | |||
F) On March 22, 2021, the appellant received a response from Clearview AI | |||
INC. solely in response to your access request (art. 15 of the RGPD). | |||
G) Prior to the admission for processing of the claim presented, | |||
It was transferred by the Spanish Data Protection Agency to | |||
CLEARVIEW AI INC. to proceed with its analysis and respond to said | |||
Agency within one month. Likewise, the requested report was requested on the | |||
3 | |||
Resource No.: 0002185/2021 | |||
causes that motivated the incident that occurred, and details of the measures adopted | |||
to avoid similar situations. There is no record of receipt at the Agency of a | |||
response to the transfer by the claimed entity. | |||
SECOND.- Firstly, we will analyze the cause of inadmissibility of art. | |||
69.b) of the Law of Jurisdiction, raised by the legal representative of the | |||
General Administration of the State, based on the lack of active legitimation of the | |||
recurrent. | |||
To analyze this cause of inadmissibility, we must assume that the | |||
Legitimation is an inexcusable presupposition of the process, providing for art. 19.1.a) of the | |||
Law of Jurisdiction, which: “They are legitimized before the jurisdictional order | |||
contentious-administrative: a) Natural or legal persons who hold a | |||
right or legitimate interest.” | |||
In this sense, the Ruling of the Constitutional Court 52/2007, of 12 | |||
March, has specified that the legitimate interest, referred to in art. 24.1 of the | |||
Constitution “is characterized as a univocal material relationship between the subject and the | |||
object of the claim (challenged act or provision), in such a way that its | |||
Override automatically produces a positive (benefit) or negative effect | |||
(damage) current or future but certain, such relationship must be understood as referring to a | |||
interest in its own sense, qualified and specific, current and real (not potential or | |||
hypothetical). It is the potential ownership of an advantage or a utility | |||
legal, not necessarily of patrimonial content, by the person exercising the | |||
claim, which would materialize if this is successful. Or, what is the same, the interest | |||
Legitimate is any legal advantage or utility derived from the intended reparation. | |||
(SSTC 252/2000, of October 30, FJ 3; 173/2004, of October 18, FJ 3; and | |||
73/2006, of March 13, FJ 4; in relation to a union, STC 28/2005, of 14 | |||
February, FJ 3)”. | |||
In the specific area of sanctioning procedures, it has been pointed out | |||
in relation to legitimation in the Supreme Court Ruling of January 30 | |||
of 2001 - appeal no. 506/1998- that “the Chamber understands that the existence of | |||
Legitimation is linked to a legitimate interest of the party that claims it, | |||
being the key to determining whether or not that legitimate interest exists in the process of | |||
challenge of a resolution... the information of whether the imposition of a sanction can | |||
produce a positive effect on the legal sphere of the complainant or can eliminate a | |||
burden or burden in that sphere, and it will be so, in each case, and depending on what | |||
intended, as the appropriate answer to such a question can be given, not being | |||
that the imposition of the sanction constitutes in itself the satisfaction of a | |||
interest". | |||
More recently, in the field of data protection itself in which | |||
we find ourselves, it is worth mentioning the Supreme Court Sentence of October 6, | |||
2009 - appeal no. 4,712/2005 -, which states that “whoever reports facts that | |||
considered to constitute a violation of data protection legislation. | |||
of active standing to challenge through jurisdiction what the Agency resolves. | |||
4 | |||
Resource No.: 0002185/2021 | |||
This is clear from the rulings of this Chamber of November 6, 2007 and, with | |||
even greater clarity, dated December 10, 2008.” | |||
The reason for said lack of legitimation lies, according to the aforementioned Judgment, in | |||
that the complainant lacks the status of interested party in the procedure | |||
sanctioning that can be initiated as a result of your complaint, since in the regulations of | |||
data protection, that condition is not recognized. And as regards the | |||
general principles of administrative sanctioning law, continues the aforementioned | |||
Sentence “although on some occasions this Chamber has said that the complainant | |||
can challenge the filing of the complaint by the Administration, it is not admitted that the | |||
complainant can challenge the final administrative resolution. The crucial argument | |||
in this matter is that the complainant, even when he considers himself | |||
“victim” of the reported violation, does not have a subjective right or interest | |||
legitimate for the accused to be punished. The punitive power belongs | |||
only to the Administration that has been entrusted with the corresponding power | |||
sanctioning authority - in this case, the Spanish Data Protection Agency - and therefore | |||
Consequently, only the Administration has an interest protected by the legal system. | |||
legal in which the offender is punished. It is true that things are not like that in the | |||
criminal law itself, where popular action even exists, but this | |||
It is because there are rules that expressly establish exceptions that do not | |||
appear in administrative sanctioning law and, so now | |||
specifically interested in data protection legislation. It's more: | |||
Accepting the active standing of the complainant would not only lead to maintaining that | |||
has an interest that the legal system does not recognize or protect, but rather | |||
would also lead to transforming the contentious-administrative courts into a | |||
type of appeal bodies in sanctioning matters. The latter would mean | |||
accept that they can impose the administrative sanctions that the | |||
Administration, which would clash with the so-called “reviewing nature” of the jurisdiction | |||
administrative litigation. In other words, the contentious courts | |||
Administrative authorities can and must control the legality of administrative acts in | |||
sanctioning matter; but they cannot replace the Administration in the exercise of | |||
the sanctioning powers that the law entrusts to it. | |||
What has just been said must be clarified: the complainant of | |||
a violation of data protection legislation lacks locus standi | |||
to challenge the Agency's resolution regarding the result | |||
sanctioner himself (imposition of a sanction, amount thereof, exculpation, | |||
etc); but if necessary, it may have active legitimacy with respect to aspects | |||
of the resolution other than the specifically sanctioning one, provided that, for | |||
course, can show some genuine interest worthy of guardianship.” | |||
On the other hand, in the Supreme Court Ruling of June 9, 2014 - | |||
resource no. 5.216/2011-, which states that: “The jurisprudence cited by the | |||
contested ruling, as the basis for its decision to inadmiss the appeal | |||
Due to lack of active standing of the appellant, it is made up of the | |||
rulings of this Chamber of December 16, 2008 (recourse 6339/2004) and 6 of | |||
October 2009 (resource 4712/2005), which fell on appeals that present | |||
as a characteristic that, in the administrative process, after the filing of a | |||
complaint, the AEPD carried out actions aimed at verifying the facts | |||
5 | |||
Resource No.: 0002185/2021 | |||
object of complaint, so that the decision to archive the file was | |||
adopted by the AEPD after this investigative activity and verification of the | |||
facts, and as a consequence of it. | |||
In this context that we have just explained, that is, in cases in which | |||
The Administration had developed an investigation and verification action | |||
of the facts reported, the rulings of this Chamber, cited by the ruling | |||
appealed, made the statements that the complainant does not have a right | |||
subjective nor a legitimate interest in having the accused person punished. Specifically, the | |||
STS of December 15, 2008 declared that the complainant lacked standing | |||
for the claim exercised in the appeal, which had been to force the | |||
AEPD to sanction the entity reported for serious misconduct, and the STS of 29 | |||
September 2009 considered that the contested ruling had incurred | |||
inconsistency, because the petition of the lawsuit was limited to requesting the annulment of the | |||
resolution of the AEPD and the contested ruling went further and ordered retroaction | |||
of actions in order to impose the corresponding administrative sanction.” | |||
The second claim contained in the application's request says: “(ii) | |||
order the AEPD to proceed with the initiation of administrative procedures | |||
that correspond to the imposition on Clearview of any sanctions that may be | |||
appropriate on the basis of the aforementioned violations of articles 6, 9, | |||
14, 15 and 17 of the GDPR”. | |||
Thus, the appellant in said claim requests the exercise of | |||
sanctioning power for non-compliance with data protection regulations, | |||
His legitimacy to challenge the Agency's decision is not proven, since | |||
As indicated in the Supreme Court Ruling of February 1, 2018 - appeal no. | |||
2,368/2016-: “The claim to defend legality ---regardless of its | |||
regulation in the field of criminal law---requires, in the field that affects us, | |||
administrative law, of a specific and concrete authorization that is not perceived | |||
nor is it accredited in the matter of the protection of personal data, and must | |||
Remember that the punitive power belongs solely to the Administration, which is | |||
who is entrusted with the corresponding sanctioning power --- in this case, | |||
the Spanish Data Protection Agency--, and, consequently, only the | |||
Administration has an interest protected by the legal system in which the | |||
offender be punished; The opposite would imply replacing the Administration in the | |||
exercise of sanctioning power.” | |||
In short, in view of the above, the actor lacks both a right | |||
subjective as well as a legitimate interest in the success of the claim we are | |||
analyzing, so it is inadmissible under art. 69. b) of the Law of | |||
the Jurisdiction. | |||
But in the case at hand, it is also intended that the Agency | |||
Spanish Data Protection Authority recognizes its competence to resolve the | |||
claim presented by the appellant and, consequently, the | |||
processing it until its resolution. | |||
6 | |||
Resource No.: 0002185/2021 | |||
Well, in relation to said claim, if the plaintiff is found | |||
actively legitimized to challenge the resolution issued in a procedure of | |||
protection of rights, which inadmisses the claim made by them via | |||
administrative, since it includes that specific suitability that derives from the | |||
underlying problem to be discussed in this resource. Criterion that is followed by this | |||
Section in the Judgments of November 16, 2011 - appeal no. 413/2010-, of | |||
May 17, 2012 - appeal no. 406/2010 -, and March 8, 2019 -resource no. | |||
165/2018-, among others. | |||
Therefore, we will now analyze the aforementioned claim. | |||
THIRD.- In the appealed resolution, the plaintiff's claim is filed against | |||
be excluded from the scope of application of the RGPD, based on the following: “In this | |||
case, although it is true that, to offer the service, the search engine reads and | |||
stores millions of photographs publicly accessible over the Internet – | |||
many of which correspond to European residents – the conditions for | |||
that a processing carried out by a controller outside the Union (in this case, in | |||
U.S.) is covered by the GDPR are that the activities associated with it | |||
are related to the offer of goods or services to said interested parties in the | |||
Union, as determined by art. 3.2.a) of the RGPD, or that are related to the control | |||
of their behavior, as provided in article 3.2.b) of the RGPD. Circumstances | |||
that do not occur in this case.” | |||
The actor alleges that the Spanish Data Protection Agency is competent | |||
to process your claim based on art. 3.2.b) of the RGPD. Clearview is said to | |||
not only processes personal data, but also processes special categories of | |||
personal data of art. 9 of the GDPR. It is clear that recital 51 | |||
of the GDPR makes it explicit that the processing of photographs is not considered | |||
systematically processing special data, as it is not understood that the | |||
image is de facto biometric data, unless, as is the case, “the fact of | |||
be treated with specific technical means allowing the identification or | |||
univocal authentication of a natural person. | |||
It is argued that by indicating that the GDPR applies to activities of | |||
treatment related to "behavioral control", art. 3.2.b) of the | |||
GDPR implies that any data controller or data controller | |||
later worldwide that tracks European users in a way | |||
identified or identifiable person would be carrying out treatment activities under the | |||
scope of the GDPR. It is added that the GDPR covers any form of tracking in | |||
Internet that, in terms of its intensity, is equivalent to a "surveillance" of the | |||
interested parties, and that the monitoring of interested parties on the Internet through | |||
comparison of biometric data, as carried out by Clearview, would already determine the | |||
scope of art. 3.2.b) of the RGPD. | |||
In this regard, the Court is informed in the application of the | |||
conclusions reached, in this sense, by other authorities for the protection of | |||
international data, including many in the European Union. This is how they refer to | |||
7 | |||
Resource No.: 0002185/2021 | |||
cases from the United Kingdom, Hamburg, Holland, France. And in the written conclusions | |||
Reference is made to cases from Greece and Italy. | |||
Finally, it is alluded to that the appealed resolution incurs arbitrariness and lack | |||
of motivation as a consequence of hardly carrying out checks on the | |||
responsibility of Clearview and to obviate past non-compliance. | |||
FOURTH.- The art. 3.2.b) of the RGPD, on which the plaintiff relies to determine | |||
the competence of the Spanish Data Protection Agency, provides: “The | |||
This Regulation applies to the processing of personal data of interested parties | |||
residing in the Union by a person responsible or in charge not established in | |||
the Union, when the processing activities are related to: …. b) the | |||
control of their behavior, to the extent that this takes place in the Union.” | |||
For its part, recital 24 of the aforementioned RGPD states: “(24) The treatment | |||
of personal data of interested parties residing in the Union by a controller | |||
or processor not established in the Union should also be the subject of this | |||
Regulation when related to the observation of the behavior of | |||
said interested parties to the extent that this behavior takes place in the | |||
Union. To determine whether a treatment activity can be considered | |||
controls the behavior of the interested parties, it must be evaluated whether the people | |||
Physical data are tracked on the Internet, including potential subsequent use | |||
of personal data processing techniques that consist of the preparation of | |||
a profile of a natural person for the purpose, in particular, of making decisions about | |||
him or to analyze or predict his personal preferences, behaviors and | |||
attitudes.” | |||
While art. 4 of the GDPR defines “profiling” as “any | |||
form of automated processing of personal data consisting of using data | |||
personal to evaluate certain personal aspects of a natural person, | |||
in particular to analyze or predict aspects related to professional performance, | |||
economic situation, health, personal preferences, interests, reliability, | |||
behavior, location or movements of said natural person.” | |||
Thus, in resolution No. MED-2021-134, of November 26, | |||
2021from the National Commission for Information Technologies and Freedoms | |||
Public Authorities of France, in relation to the entity Clearview AI INC., and the application of the | |||
art. 3.2.b) of the GDPR, it says: “First of all, the processing in question leads to | |||
creating a behavioral profile of all people whose data is collected | |||
they collect | |||
From the relevant information, provided within the framework of cooperation between the | |||
supervisory authorities, it follows that the tool in question allows | |||
generate, from a photograph, a search result that contains all the | |||
photographs with a biometric model close enough to said photograph. | |||
This search result includes all photographs in which the | |||
face of a person and that have been collected by the company, subject to a | |||
margin of technical error. | |||
8 | |||
Resource No.: 0002185/2021 | |||
The profile thus created, relating to a person, is made up of photographs, but | |||
also the URL address of all the web pages on which they are located | |||
these photographs. However, the linking of photographs and the context in which | |||
presented on a website allows you to collect a lot of information about a | |||
person, their habits or preferences. Regarding social networks in | |||
particular, it is very likely that a photograph and the original URL of this photograph | |||
identify the account of the person in question. Photographs can also | |||
have been published online to illustrate a press or blog article, therefore | |||
which is likely to contain accurate information about the person concerned and, | |||
therefore, elements related to its behavior. | |||
Additionally, images may contain metadata, such as image metadata. | |||
geolocation, which are also included in the search result and are | |||
can be used to complete a person's profile. | |||
This search result also allows you to identify the behavior of | |||
a person on the Internet, by analyzing the information that person has | |||
chosen to put online, as well as its context. Indeed, the publication of photographs | |||
online constitutes in itself a behavior of the affected person, since | |||
reflects options about the level of exposure you want to give to elements of your | |||
private or professional life. | |||
Therefore, it is appropriate to consider that the search result associated | |||
A photograph must be classified, at least partially, as a profile of | |||
behavior of the person in question, to the extent that it contains a | |||
large amount of information relating to said person and, in particular, his | |||
behavior. Even when the purpose of the treatment itself is not the control of the | |||
behavior, the means used to enable the identification system | |||
biometrics from the company Clearview involve the creation of such a profile, and may | |||
treatment to be considered “linked to behavioral monitoring” | |||
of the affected people. | |||
Secondly, the automated data processing that allows the | |||
creation of said behavioral profile and its availability to people who | |||
queries in the company's search engine should be classified as | |||
tracking on the Internet. | |||
Indeed, the very purpose of the tool marketed by Clearview | |||
is to be able to identify and collect certain information related to a person. The | |||
implementation of the different stages of processing described above, | |||
and in particular biometric techniques to distinguish an individual, lead to the | |||
creating a behavioral profile. However, this profile is created in | |||
response to a search carried out by a person and relating to a person who | |||
appears in a photograph. | |||
Additionally, the search can be renewed over time, allowing you to see a | |||
evolution of information relating to a person, especially when compared | |||
the results of successive searches. In fact, since the database is | |||
updated periodically, successive searches allow us to follow the evolution of | |||
a profile over time.” | |||
And the conclusion is reached that the treatment carried out in this way is linked | |||
to monitoring the behavior of the interested parties in the sense of the | |||
provisions of art. 3.2.b) of the RGPD and falls within the territorial scope of the RGPD. | |||
9 | |||
Resource No.: 0002185/2021 | |||
On the other hand, the Italian Data Protection Authority, by the resolution of | |||
March 9, 2022, after discovering that what amounted to | |||
biometric control also of people in Italian territory, fined the company | |||
American Clearview AI with 20 million euros, as well as ordered the aforementioned | |||
company to delete data relating to natural persons in Italy. banned | |||
any other collection and processing of data through the system | |||
facial recognition of the company, and to appoint a representative in the EU | |||
to contact, in addition to the data controller based in the USA or in | |||
instead of it, in order to facilitate the exercise of the rights of the interested parties. | |||
Well, in light of the above, the Chamber agrees with what | |||
exposed, in the sense that the Spanish Data Protection Agency has | |||
jurisdiction to hear the appellant's claim against the company | |||
Clearview, the GDPR being applicable based on art. 3.2.b) of the aforementioned Regulation, | |||
It should be added that the aforementioned provision does not require that the treatment be carried out | |||
carried out in order to control people's behavior, but simply | |||
“linked” to him. | |||
Consequently, in light of the foregoing, the appeal must be upheld. | |||
contentious-administrative in relation to the claim that we have just stated | |||
examine, and the aforementioned appeal must be partially upheld. | |||
FIFTH.- In accordance with art. 139.1 of the Law of Jurisdiction, when estimated in | |||
party the contentious-administrative appeal, each party will pay the costs incurred | |||
at his request and the common ones in half. | |||
HAVING SEEN the cited articles, and others of general and pertinent application. | |||
WE FAIL: In relation to the contentious-administrative appeal filed | |||
by the Attorney General of the Courts N.N., in the name and | |||
representation of N.N., against the resolution of 1 | |||
September 2021 from the Director of the Spanish Data Protection Agency, | |||
which agreed to file the claim filed against Clearview AI | |||
INC., relapse in file E/04461/2021: | |||
1st. The inadmissibility of the aforementioned appeal is declared by application of art. 69.b) | |||
of the Law of Jurisdiction regarding the second of the claims contained in | |||
the request of the demand. | |||
2nd.- The appeal is upheld in relation to the first claim of the petition of the | |||
lawsuit, declaring the nullity of the appealed resolution for not being in accordance with | |||
right, and the Spanish Data Protection Agency must admit the | |||
the appellant's claim and process it. | |||
10 | |||
Resource No.: 0002185/2021 | |||
3º- Without making a special statement on the procedural costs. | |||
This ruling is subject to appeal, which must be | |||
prepare before this Court within a period of 30 days counted from the day following that of | |||
your notification; In the document preparing the appeal, the | |||
compliance with the requirements established in art. 89.2 of the Law of the | |||
Jurisdiction justifying the objective cassational interest that it presents. | |||
Thus, by this our Sentence, we pronounce it, we order and we sign. | |||
</pre> | |||
Latest revision as of 12:30, 17 July 2024
| AN - 2185/2021 (Appeal number - Número de Recurso) | |
|---|---|
 | |
| Court: | AN (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 3(2)(b) GDPR Ley 29/1998, de 13 de julio, reguladora de la Jurisdicción Contencioso-administrativa |
| Decided: | 27.06.2024 |
| Published: | |
| Parties: | AEPD |
| National Case Number/Name: | 2185/2021 (Appeal number - Número de Recurso) |
| European Case Law Identifier: | |
| Appeal from: | AEPD (Spain) E/04461/2021 |
| Appeal to: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | Audiencia Nacional - Sala de lo Contencioso-Administrativo (in Spanish) |
| Initial Contributor: | lm |
The Court found the Spanish DPA competent to resolve a complaint against US-based Clearview AI, and thus ordered the DPA to admit and process the complaint.
English Summary
Facts
Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images.
In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form.
On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of Article 3(2) GDPR. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case.
The data subject initiated proceedings before the Administrative Chamber of Spain’s Audiencia Nacional (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data surveilling their behaviour, bringing it within the scope of Article 3(2)(b) GDPR. Specifically, the data subject claimed that the controller processed photographs “through specific technical means allowing the unique identification or authentication of a natural person”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s decision be annulled and that the Court:
- Order the AEPD to recognize its competence to resolve the complaint and that, in consequence, the complaint be dealt with.
- Order the AEPD to initiate sanctioning proceedings for infringements of Articles 6, 9, 14, 15 and 17 GDPR.
Holding
The Court partially upheld the appeal. In relation to the first request, it found that the Spanish DPA was competent to resolve the complaint under the GDPR. Therefore, it must admit and handle the data subject’s complaint. The Court declared the second request inadmissible because the data subject did not have a subjective right nor a legitimate interest to request the Court to order a DPA to sanction a controller.
Request to Order the AEPD to Initiate Sanctioning Proceedings
The Court declared the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings inadmissible.
The Court reiterated the jurisprudence of the Tribunal Supremo (Supreme Court) noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. In data protection matters the sanctioning power is entrusted solely to the public administration – in this case, the AEPD. As a result, data subjects cannot challenge DPA decisions in a sanctioning procedure, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. Administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration (among others, Judgement of the Supreme Court of 6 October 2009, no. 4.712/2005).
Because of this reasoning, the Court declared the request inadmissible.
Request to Order the AEPD to Resolve the Complaint
In contrast to its previous findings, the Court held that a data subject can challenge a decision issued in a procedure for the protection of rights where an authority does not admit the complaint filed. It found that the AEPD was competent and is, thus, obligated to handle the complaint.
The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, falls within the scope of Article 3(2)(b) GDPR. According to the Court, Article 3(2)(b) GDPR does not mean that processing must have the purpose of controlling the behavior of the data subjects; it only requires that the processing be ‘linked’ to such a purpose.
In particular, the Court relied heavily on the French DPA’s (CNIL) decision of 26 November 2021, in which it identified Clearview as falling within the scope of Article 3(2)(b) GDPR. The CNIL had considered the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. According to the CNIL, Clearview's services allow for identifying, finding information on and creating a detailed profile about an individual. It can therefore be considered to be related to the monitoring of the behaviour of data subjects. The Court also noted that the Italian DPA (Garante) had fined Clearview AI € 20 million, prohibited further processing and ordered it to designate a representative in the EU. The Court agreed with the CNIL and the Garante that the processing falls within the scope of the GDPR and that the AEPD is thus competent to resolve the complaint of the data subject.
For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and handle the complaint.
Comment
The judgement of the Audiencia Nacional is in line with several decisions of European data protection authorities (Austria, France, Greece, Italy, UK). It corrects the AEPD's stance and, indirectly, contributes to a uniform approach throughout the European Union (and beyond) regarding Clearview.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Resource No.: 0002185/2021
NATIONAL AUDIENCE
Contentious-Administrative Chamber
FIRST SECTION
Resource No.: 0002185/2021
Type of Appeal: ORDINARY PROCEDURE
General Registry No.: 19167/2021
Demanding: N.N
Attorney: N.N
Respondent: SPANISH DATA PROTECTION AGENCY
State Attorney
Speaker IImo. Mr.: N.N.
S E N T E N C I A Nº:
IImo. Mr. President:
N.N.
Ilmos. Messrs. Magistrates:
N.N.
N.N.
N.N.
Madrid, June twenty-seven, two thousand twenty-four.
Seen by the Chamber, made up of the Magistrates related to the margin,
the records of the contentious-administrative appeal number 2,185/21, filed by the
Attorney of the Courts N.N., in the name and
representation of N.N., against the resolution of 1
September 2021 from the Director of the Spanish Data Protection Agency,
which agreed to file the claim filed against Clearview AI
INC., relapsed in file E/04461/2021. The ADMINISTRATION has been part
OF THE STATE. The amount of the resource was set at undetermined.
1
Resource No.: 0002185/2021
FACTUAL BACKGROUND
FIRST.- The appeal is admitted and the appropriate procedures have been carried out
procedural matters, transfer was granted to the plaintiff so that, within the term of
twenty days to formalize the demand, which was carried out in writing
presented on December 20, 2021 in which, after presenting the facts and
foundations of law that he considered appropriate, he ended up requesting that a
judgment by which “WITH APPROVAL OF THIS APPEAL is annulled,
revoke and annul the appealed resolution and, consequently:
(i) the AEPD is ordered to recognize its competence to resolve the
claim presented by my client and, consequently, proceed to the
processing it until its resolution; and
(ii) the AEPD is ordered to proceed with the initiation of the procedures
administrative procedures that correspond to the imposition on Clearview of how many
Sanctions may be appropriate based on the aforementioned infractions.
of articles 6, 9, 14, 15 and 17 of the GDPR”.
SECOND.- Once the demand was formalized, it was transferred to the party
defendant to respond within twenty days, which he did
through the pertinent writing, alleging the facts and legal bases that
deemed pertinent, requesting that “a ruling be issued declaring the
inadmissibility of this appeal or, alternatively, it is dismissed, confirming
the contested administrative act.”
THIRD.- By Order of July 11, 2022, it was agreed to receive
proof of the appeal, admitting the documentary evidence proposed by the party
actor. And, there being no more evidence to perform, the period of ten days was granted
to the parties for the formulation of conclusions. Once presented the
corresponding writings, the actions were pending voting and ruling,
which was scheduled for June 25 of the current year, the date on which it took place.
WITH THE EXHIBITION MAGISTRATE BEING SPEAKER. N.N.
FOUNDATIONS OF LAW
FIRST.- The plaintiff challenges the resolution of September 1, 2021
of the Director of the Spanish Data Protection Agency, by which it was agreed
the file of the claim filed against Clearview AI INC., falling on the
file E/04461/2021.
2
Resource No.: 0002185/2021
From the data in the file, the following are proven
facts relevant to issuing the resolution at hand:
A) Clearview AI INC. is a company based in the United States of
America founded in 2017, facial recognition platform that allows users
Users upload an image of a person's face and track, based on the
physical match, other photos of that person's face collected from the Internet.
In his own words, the platform “includes the largest database
known from more than ten billion facial images from sources
public-only websites, including media outlets, mugshot websites,
public social networks and other open sources.”
B) On February 14, 2020, the appellant here requested Clearview to exercise,
among others, access rights (art. 15 of Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to data processing
personal data and the free circulation of these data, hereinafter RGPD), and opposition
(art. 21 of the GDPR), with respect to personal data processed by the latter as
data controller on the basis of art. 14.1 c) of the GDPR. For this, it
addressed to the email address privacy@clearview.ai indicated for this purpose
by Clearview on their website https://www.clearview.ai/.
C) Since the plaintiff did not receive a response, he repeated the request two more times.
of rights through the same system, on September 13, 2020 and 28
January 2021
On January 29, 2021, Clearview urged the appellant to exercise his rights
through the form on the Web, which was done on January 30, 2021.
D) Upon not receiving a response, on March 1, 2021, the plaintiff repeated, for
fifth time, the request to exercise your rights, this time through Email
electronic.
On March 8, 2021, the appellant received an email from Clearview
urging you, again, to request the exercise of your rights through the form
included on the website
E) The plaintiff presented a claim on March 10, 2021 against
Clearview AI INC. before the Spanish Data Protection Agency for infringement
of the arts. 15, 17 and 21 of the GDPR.
F) On March 22, 2021, the appellant received a response from Clearview AI
INC. solely in response to your access request (art. 15 of the RGPD).
G) Prior to the admission for processing of the claim presented,
It was transferred by the Spanish Data Protection Agency to
CLEARVIEW AI INC. to proceed with its analysis and respond to said
Agency within one month. Likewise, the requested report was requested on the
3
Resource No.: 0002185/2021
causes that motivated the incident that occurred, and details of the measures adopted
to avoid similar situations. There is no record of receipt at the Agency of a
response to the transfer by the claimed entity.
SECOND.- Firstly, we will analyze the cause of inadmissibility of art.
69.b) of the Law of Jurisdiction, raised by the legal representative of the
General Administration of the State, based on the lack of active legitimation of the
recurrent.
To analyze this cause of inadmissibility, we must assume that the
Legitimation is an inexcusable presupposition of the process, providing for art. 19.1.a) of the
Law of Jurisdiction, which: “They are legitimized before the jurisdictional order
contentious-administrative: a) Natural or legal persons who hold a
right or legitimate interest.”
In this sense, the Ruling of the Constitutional Court 52/2007, of 12
March, has specified that the legitimate interest, referred to in art. 24.1 of the
Constitution “is characterized as a univocal material relationship between the subject and the
object of the claim (challenged act or provision), in such a way that its
Override automatically produces a positive (benefit) or negative effect
(damage) current or future but certain, such relationship must be understood as referring to a
interest in its own sense, qualified and specific, current and real (not potential or
hypothetical). It is the potential ownership of an advantage or a utility
legal, not necessarily of patrimonial content, by the person exercising the
claim, which would materialize if this is successful. Or, what is the same, the interest
Legitimate is any legal advantage or utility derived from the intended reparation.
(SSTC 252/2000, of October 30, FJ 3; 173/2004, of October 18, FJ 3; and
73/2006, of March 13, FJ 4; in relation to a union, STC 28/2005, of 14
February, FJ 3)”.
In the specific area of sanctioning procedures, it has been pointed out
in relation to legitimation in the Supreme Court Ruling of January 30
of 2001 - appeal no. 506/1998- that “the Chamber understands that the existence of
Legitimation is linked to a legitimate interest of the party that claims it,
being the key to determining whether or not that legitimate interest exists in the process of
challenge of a resolution... the information of whether the imposition of a sanction can
produce a positive effect on the legal sphere of the complainant or can eliminate a
burden or burden in that sphere, and it will be so, in each case, and depending on what
intended, as the appropriate answer to such a question can be given, not being
that the imposition of the sanction constitutes in itself the satisfaction of a
interest".
More recently, in the field of data protection itself in which
we find ourselves, it is worth mentioning the Supreme Court Sentence of October 6,
2009 - appeal no. 4,712/2005 -, which states that “whoever reports facts that
considered to constitute a violation of data protection legislation.
of active standing to challenge through jurisdiction what the Agency resolves.
4
Resource No.: 0002185/2021
This is clear from the rulings of this Chamber of November 6, 2007 and, with
even greater clarity, dated December 10, 2008.”
The reason for said lack of legitimation lies, according to the aforementioned Judgment, in
that the complainant lacks the status of interested party in the procedure
sanctioning that can be initiated as a result of your complaint, since in the regulations of
data protection, that condition is not recognized. And as regards the
general principles of administrative sanctioning law, continues the aforementioned
Sentence “although on some occasions this Chamber has said that the complainant
can challenge the filing of the complaint by the Administration, it is not admitted that the
complainant can challenge the final administrative resolution. The crucial argument
in this matter is that the complainant, even when he considers himself
“victim” of the reported violation, does not have a subjective right or interest
legitimate for the accused to be punished. The punitive power belongs
only to the Administration that has been entrusted with the corresponding power
sanctioning authority - in this case, the Spanish Data Protection Agency - and therefore
Consequently, only the Administration has an interest protected by the legal system.
legal in which the offender is punished. It is true that things are not like that in the
criminal law itself, where popular action even exists, but this
It is because there are rules that expressly establish exceptions that do not
appear in administrative sanctioning law and, so now
specifically interested in data protection legislation. It's more:
Accepting the active standing of the complainant would not only lead to maintaining that
has an interest that the legal system does not recognize or protect, but rather
would also lead to transforming the contentious-administrative courts into a
type of appeal bodies in sanctioning matters. The latter would mean
accept that they can impose the administrative sanctions that the
Administration, which would clash with the so-called “reviewing nature” of the jurisdiction
administrative litigation. In other words, the contentious courts
Administrative authorities can and must control the legality of administrative acts in
sanctioning matter; but they cannot replace the Administration in the exercise of
the sanctioning powers that the law entrusts to it.
What has just been said must be clarified: the complainant of
a violation of data protection legislation lacks locus standi
to challenge the Agency's resolution regarding the result
sanctioner himself (imposition of a sanction, amount thereof, exculpation,
etc); but if necessary, it may have active legitimacy with respect to aspects
of the resolution other than the specifically sanctioning one, provided that, for
course, can show some genuine interest worthy of guardianship.”
On the other hand, in the Supreme Court Ruling of June 9, 2014 -
resource no. 5.216/2011-, which states that: “The jurisprudence cited by the
contested ruling, as the basis for its decision to inadmiss the appeal
Due to lack of active standing of the appellant, it is made up of the
rulings of this Chamber of December 16, 2008 (recourse 6339/2004) and 6 of
October 2009 (resource 4712/2005), which fell on appeals that present
as a characteristic that, in the administrative process, after the filing of a
complaint, the AEPD carried out actions aimed at verifying the facts
5
Resource No.: 0002185/2021
object of complaint, so that the decision to archive the file was
adopted by the AEPD after this investigative activity and verification of the
facts, and as a consequence of it.
In this context that we have just explained, that is, in cases in which
The Administration had developed an investigation and verification action
of the facts reported, the rulings of this Chamber, cited by the ruling
appealed, made the statements that the complainant does not have a right
subjective nor a legitimate interest in having the accused person punished. Specifically, the
STS of December 15, 2008 declared that the complainant lacked standing
for the claim exercised in the appeal, which had been to force the
AEPD to sanction the entity reported for serious misconduct, and the STS of 29
September 2009 considered that the contested ruling had incurred
inconsistency, because the petition of the lawsuit was limited to requesting the annulment of the
resolution of the AEPD and the contested ruling went further and ordered retroaction
of actions in order to impose the corresponding administrative sanction.”
The second claim contained in the application's request says: “(ii)
order the AEPD to proceed with the initiation of administrative procedures
that correspond to the imposition on Clearview of any sanctions that may be
appropriate on the basis of the aforementioned violations of articles 6, 9,
14, 15 and 17 of the GDPR”.
Thus, the appellant in said claim requests the exercise of
sanctioning power for non-compliance with data protection regulations,
His legitimacy to challenge the Agency's decision is not proven, since
As indicated in the Supreme Court Ruling of February 1, 2018 - appeal no.
2,368/2016-: “The claim to defend legality ---regardless of its
regulation in the field of criminal law---requires, in the field that affects us,
administrative law, of a specific and concrete authorization that is not perceived
nor is it accredited in the matter of the protection of personal data, and must
Remember that the punitive power belongs solely to the Administration, which is
who is entrusted with the corresponding sanctioning power --- in this case,
the Spanish Data Protection Agency--, and, consequently, only the
Administration has an interest protected by the legal system in which the
offender be punished; The opposite would imply replacing the Administration in the
exercise of sanctioning power.”
In short, in view of the above, the actor lacks both a right
subjective as well as a legitimate interest in the success of the claim we are
analyzing, so it is inadmissible under art. 69. b) of the Law of
the Jurisdiction.
But in the case at hand, it is also intended that the Agency
Spanish Data Protection Authority recognizes its competence to resolve the
claim presented by the appellant and, consequently, the
processing it until its resolution.
6
Resource No.: 0002185/2021
Well, in relation to said claim, if the plaintiff is found
actively legitimized to challenge the resolution issued in a procedure of
protection of rights, which inadmisses the claim made by them via
administrative, since it includes that specific suitability that derives from the
underlying problem to be discussed in this resource. Criterion that is followed by this
Section in the Judgments of November 16, 2011 - appeal no. 413/2010-, of
May 17, 2012 - appeal no. 406/2010 -, and March 8, 2019 -resource no.
165/2018-, among others.
Therefore, we will now analyze the aforementioned claim.
THIRD.- In the appealed resolution, the plaintiff's claim is filed against
be excluded from the scope of application of the RGPD, based on the following: “In this
case, although it is true that, to offer the service, the search engine reads and
stores millions of photographs publicly accessible over the Internet –
many of which correspond to European residents – the conditions for
that a processing carried out by a controller outside the Union (in this case, in
U.S.) is covered by the GDPR are that the activities associated with it
are related to the offer of goods or services to said interested parties in the
Union, as determined by art. 3.2.a) of the RGPD, or that are related to the control
of their behavior, as provided in article 3.2.b) of the RGPD. Circumstances
that do not occur in this case.”
The actor alleges that the Spanish Data Protection Agency is competent
to process your claim based on art. 3.2.b) of the RGPD. Clearview is said to
not only processes personal data, but also processes special categories of
personal data of art. 9 of the GDPR. It is clear that recital 51
of the GDPR makes it explicit that the processing of photographs is not considered
systematically processing special data, as it is not understood that the
image is de facto biometric data, unless, as is the case, “the fact of
be treated with specific technical means allowing the identification or
univocal authentication of a natural person.
It is argued that by indicating that the GDPR applies to activities of
treatment related to "behavioral control", art. 3.2.b) of the
GDPR implies that any data controller or data controller
later worldwide that tracks European users in a way
identified or identifiable person would be carrying out treatment activities under the
scope of the GDPR. It is added that the GDPR covers any form of tracking in
Internet that, in terms of its intensity, is equivalent to a "surveillance" of the
interested parties, and that the monitoring of interested parties on the Internet through
comparison of biometric data, as carried out by Clearview, would already determine the
scope of art. 3.2.b) of the RGPD.
In this regard, the Court is informed in the application of the
conclusions reached, in this sense, by other authorities for the protection of
international data, including many in the European Union. This is how they refer to
7
Resource No.: 0002185/2021
cases from the United Kingdom, Hamburg, Holland, France. And in the written conclusions
Reference is made to cases from Greece and Italy.
Finally, it is alluded to that the appealed resolution incurs arbitrariness and lack
of motivation as a consequence of hardly carrying out checks on the
responsibility of Clearview and to obviate past non-compliance.
FOURTH.- The art. 3.2.b) of the RGPD, on which the plaintiff relies to determine
the competence of the Spanish Data Protection Agency, provides: “The
This Regulation applies to the processing of personal data of interested parties
residing in the Union by a person responsible or in charge not established in
the Union, when the processing activities are related to: …. b) the
control of their behavior, to the extent that this takes place in the Union.”
For its part, recital 24 of the aforementioned RGPD states: “(24) The treatment
of personal data of interested parties residing in the Union by a controller
or processor not established in the Union should also be the subject of this
Regulation when related to the observation of the behavior of
said interested parties to the extent that this behavior takes place in the
Union. To determine whether a treatment activity can be considered
controls the behavior of the interested parties, it must be evaluated whether the people
Physical data are tracked on the Internet, including potential subsequent use
of personal data processing techniques that consist of the preparation of
a profile of a natural person for the purpose, in particular, of making decisions about
him or to analyze or predict his personal preferences, behaviors and
attitudes.”
While art. 4 of the GDPR defines “profiling” as “any
form of automated processing of personal data consisting of using data
personal to evaluate certain personal aspects of a natural person,
in particular to analyze or predict aspects related to professional performance,
economic situation, health, personal preferences, interests, reliability,
behavior, location or movements of said natural person.”
Thus, in resolution No. MED-2021-134, of November 26,
2021from the National Commission for Information Technologies and Freedoms
Public Authorities of France, in relation to the entity Clearview AI INC., and the application of the
art. 3.2.b) of the GDPR, it says: “First of all, the processing in question leads to
creating a behavioral profile of all people whose data is collected
they collect
From the relevant information, provided within the framework of cooperation between the
supervisory authorities, it follows that the tool in question allows
generate, from a photograph, a search result that contains all the
photographs with a biometric model close enough to said photograph.
This search result includes all photographs in which the
face of a person and that have been collected by the company, subject to a
margin of technical error.
8
Resource No.: 0002185/2021
The profile thus created, relating to a person, is made up of photographs, but
also the URL address of all the web pages on which they are located
these photographs. However, the linking of photographs and the context in which
presented on a website allows you to collect a lot of information about a
person, their habits or preferences. Regarding social networks in
particular, it is very likely that a photograph and the original URL of this photograph
identify the account of the person in question. Photographs can also
have been published online to illustrate a press or blog article, therefore
which is likely to contain accurate information about the person concerned and,
therefore, elements related to its behavior.
Additionally, images may contain metadata, such as image metadata.
geolocation, which are also included in the search result and are
can be used to complete a person's profile.
This search result also allows you to identify the behavior of
a person on the Internet, by analyzing the information that person has
chosen to put online, as well as its context. Indeed, the publication of photographs
online constitutes in itself a behavior of the affected person, since
reflects options about the level of exposure you want to give to elements of your
private or professional life.
Therefore, it is appropriate to consider that the search result associated
A photograph must be classified, at least partially, as a profile of
behavior of the person in question, to the extent that it contains a
large amount of information relating to said person and, in particular, his
behavior. Even when the purpose of the treatment itself is not the control of the
behavior, the means used to enable the identification system
biometrics from the company Clearview involve the creation of such a profile, and may
treatment to be considered “linked to behavioral monitoring”
of the affected people.
Secondly, the automated data processing that allows the
creation of said behavioral profile and its availability to people who
queries in the company's search engine should be classified as
tracking on the Internet.
Indeed, the very purpose of the tool marketed by Clearview
is to be able to identify and collect certain information related to a person. The
implementation of the different stages of processing described above,
and in particular biometric techniques to distinguish an individual, lead to the
creating a behavioral profile. However, this profile is created in
response to a search carried out by a person and relating to a person who
appears in a photograph.
Additionally, the search can be renewed over time, allowing you to see a
evolution of information relating to a person, especially when compared
the results of successive searches. In fact, since the database is
updated periodically, successive searches allow us to follow the evolution of
a profile over time.”
And the conclusion is reached that the treatment carried out in this way is linked
to monitoring the behavior of the interested parties in the sense of the
provisions of art. 3.2.b) of the RGPD and falls within the territorial scope of the RGPD.
9
Resource No.: 0002185/2021
On the other hand, the Italian Data Protection Authority, by the resolution of
March 9, 2022, after discovering that what amounted to
biometric control also of people in Italian territory, fined the company
American Clearview AI with 20 million euros, as well as ordered the aforementioned
company to delete data relating to natural persons in Italy. banned
any other collection and processing of data through the system
facial recognition of the company, and to appoint a representative in the EU
to contact, in addition to the data controller based in the USA or in
instead of it, in order to facilitate the exercise of the rights of the interested parties.
Well, in light of the above, the Chamber agrees with what
exposed, in the sense that the Spanish Data Protection Agency has
jurisdiction to hear the appellant's claim against the company
Clearview, the GDPR being applicable based on art. 3.2.b) of the aforementioned Regulation,
It should be added that the aforementioned provision does not require that the treatment be carried out
carried out in order to control people's behavior, but simply
“linked” to him.
Consequently, in light of the foregoing, the appeal must be upheld.
contentious-administrative in relation to the claim that we have just stated
examine, and the aforementioned appeal must be partially upheld.
FIFTH.- In accordance with art. 139.1 of the Law of Jurisdiction, when estimated in
party the contentious-administrative appeal, each party will pay the costs incurred
at his request and the common ones in half.
HAVING SEEN the cited articles, and others of general and pertinent application.
WE FAIL: In relation to the contentious-administrative appeal filed
by the Attorney General of the Courts N.N., in the name and
representation of N.N., against the resolution of 1
September 2021 from the Director of the Spanish Data Protection Agency,
which agreed to file the claim filed against Clearview AI
INC., relapse in file E/04461/2021:
1st. The inadmissibility of the aforementioned appeal is declared by application of art. 69.b)
of the Law of Jurisdiction regarding the second of the claims contained in
the request of the demand.
2nd.- The appeal is upheld in relation to the first claim of the petition of the
lawsuit, declaring the nullity of the appealed resolution for not being in accordance with
right, and the Spanish Data Protection Agency must admit the
the appellant's claim and process it.
10
Resource No.: 0002185/2021
3º- Without making a special statement on the procedural costs.
This ruling is subject to appeal, which must be
prepare before this Court within a period of 30 days counted from the day following that of
your notification; In the document preparing the appeal, the
compliance with the requirements established in art. 89.2 of the Law of the
Jurisdiction justifying the objective cassational interest that it presents.
Thus, by this our Sentence, we pronounce it, we order and we sign.
