AN - 2185/2021: Difference between revisions

From GDPRhub
m (Wp moved page Audiencia Nacional - Sala Cont-Admtvo - 0002185/2021 to AN - 0002185/2021: wrong category assigned)
 
(10 intermediate revisions by 3 users not shown)
Line 9: Line 9:
|Court_With_Country= AN (Spain)
|Court_With_Country= AN (Spain)


|Case_Number_Name=0002185/2021
|Case_Number_Name=2185/2021 (Appeal number - Número de Recurso)
|ECLI=
|ECLI=


|Original_Source_Name_1=Audiencia Nacional - Sala Cont-Admtvo
|Original_Source_Name_1=Audiencia Nacional - Sala de lo Contencioso-Administrativo
|Original_Source_Link_1=https://gdprhub.eu/images/b/b5/Env_3702-1_Redacted.pdf
|Original_Source_Link_1=https://gdprhub.eu/images/4/41/0002185-2021_Redacted.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Language__Code_1=ES
Line 21: Line 21:
|Original_Source_Language__Code_2=
|Original_Source_Language__Code_2=


|Date_Decided=12.07.2024
|Date_Decided=27.06.2024
|Date_Published=16.07.2024
|Date_Published=
|Year=2024
|Year=2024


Line 69: Line 69:


=== Facts ===
=== Facts ===
Clearview AI Inc. (the controller) is a facial recognition company established in the United States. The controller permits users to upload an image of a person’s face and scrape the internet for other photos of them, as well as the URLs where those photos are found. Frequently, these searches identify a data subject’s social media accounts or other webpages that disclose further personal data about them.  
Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images.  


In February 2020, September 2020 and January 2021, a data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form.  
In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form.  


On 10 March 2021, the data subject represented by ''noyb'', the European Center for Digital Rights, filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not come within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer services to data subjects in the Union. The AEPD considered that these circumstances do not exist in this case.  
On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of [[Article 3 GDPR#(2) Activity in the Union|Article 3(2) GDPR]]. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case.  


The data subject initiated proceedings before Spain’s National Court, Chamber of the Contentious-Administrative (the Court) to challenge the AEPD’s dismissal. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data, including special categories of data under [[Article 9 GDPR|Article 9 GDPR]], bringing it within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. Specifically, the controller processes photographs “''through specific technical means allowing the unique identification or authentication of a natural person''”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s dismissal be annulled and that the Court:
The data subject initiated proceedings before the Administrative Chamber of Spain’s ''Audiencia Nacional'' (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data surveilling their behaviour, bringing it within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. Specifically, the data subject claimed that the controller processed photographs “''through specific technical means allowing the unique identification or authentication of a natural person''”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s decision be annulled and that the Court:


# Order the AEPD to recognize its competence to resolve the complaint.
# Order the AEPD to recognize its competence to resolve the complaint and that, in consequence, the complaint be dealt with.
# Order the AEPD to initiate sanctioning proceedings and find infringements of Articles 6, 9, 14, 15 and 17 GDPR.
# Order the AEPD to initiate sanctioning proceedings for infringements of Articles 6, 9, 14, 15 and 17 GDPR.


=== Holding ===
=== Holding ===
The Court partially upheld and partially rejected the appeal. It upheld the appeal with relation to the first request, finding that the DPA was competent to resolve the complaint under the GDPR and thus must admit and process the data subject’s complaint. The Court rejected the second request because the data subject did not have standing to request a Court to order a DPA to sanction a controller.
The Court partially upheld the appeal. In relation to the first request, it found that the Spanish DPA was competent to resolve the complaint under the GDPR. Therefore, it must admit and handle the data subject’s complaint. The Court declared the second request inadmissible because the data subject did not have a subjective right nor a legitimate interest to request the Court to order a DPA to sanction a controller.


===== Request to Order the AEPD to Initiate Sanctioning Proceedings =====
===== Request to Order the AEPD to Initiate Sanctioning Proceedings =====
The Court rejected the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings.
The Court declared the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings inadmissible.


The Court reiterated the Supreme Tribunal’s prior jurisprudence noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. While complainants have sometimes been found to have standing to challenge dismissal decisions, they do not have standing to challenge final administrative decisions. (Supreme Court’s sentence of 6 October 2009, no. 4.712/2005) This punitive power is entrusted solely to the administrative entity – in this case, the AEPD. As a result, data subjects do not have standing to challenge DPA decisions on the outcome of a case, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. By the same logic, contentious-administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration.  
The Court reiterated the jurisprudence of the ''Tribunal Supremo'' (Supreme Court) noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. In data protection matters the sanctioning power is entrusted solely to the public administration – in this case, the AEPD. As a result, data subjects cannot challenge DPA decisions in a sanctioning procedure, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. Administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration (among others, [https://www.poderjudicial.es/search/AN/openDocument/8da9e7069a81151f/20091022 Judgement of the Supreme Court of 6 October 2009, no. 4.712/2005]).
 
Because of this reasoning, the Court declared the request inadmissible.  


===== Request to Order the AEPD to Resolve the Complaint =====
===== Request to Order the AEPD to Resolve the Complaint =====
The Court held that a data subject does have standing to challenge a decision issued in a procedure for the protection of rights where an authority rejects the claim filed. It found that the AEPD was obligated to resolve the complaint, and that it thus erred in its dismissal.
In contrast to its previous findings, the Court held that a data subject can challenge a decision issued in a procedure for the protection of rights where an authority does not admit the complaint filed. It found that the AEPD was competent and is, thus, obligated to handle the complaint.


The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, is processing data and thus within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]] does not mean that processing must have the purpose of controlling behavior of the data subjects; it only requires that the processing be ‘linked’ to the data subject.
The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, falls within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. According to the Court, [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]] does not mean that processing must have the purpose of controlling the behavior of the data subjects; it only requires that the processing be ‘linked’ to such a purpose.


In particular, the Court relied heavily on the French DPA’s (CNIL) [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044499030?init=true&page=1&query=CLEARVIEW&searchField=ALL&tab_selection=all decision of 26 November 2021], in which it identified Clearview AI Inc. as coming within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. The CNIL considered the extent of the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. The purpose of Clearview’s technology, the CNIL concluded, is identifying, finding information on and creating a detailed profile about an individual. The Court also noted that the Italian DPA (Garante[https://gdprhub.eu/Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9751362?mtc=hubasmtw ) fined Clearview AI €20 million] for its unlawful processing of data subjects in Italian territory, prohibited further processing and ordered it to designate a DPO in the EU. The Court agreed with the CNIL and the Garante that the controller falls within the scope of the GDPR and that Member State DPAs are thus competent to resolve complaints involving the controller.  
In particular, the Court relied heavily on the [[CNIL (France) - MED-2021-134|French DPA’s (CNIL) decision of 26 November 2021]], in which it identified Clearview as falling within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. The CNIL had considered the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. According to the CNIL, Clearview's services allow for identifying, finding information on and creating a detailed profile about an individual. It can therefore be considered to be related to the monitoring of the behaviour of data subjects. The Court also noted that the [[Garante per la protezione dei dati personali (Italy) - 9751362|Italian DPA (Garante) had fined Clearview AI € 20 million]], prohibited further processing and ordered it to designate a representative in the EU. The Court agreed with the CNIL and the Garante that the processing falls within the scope of the GDPR and that the AEPD is thus competent to resolve the complaint of the data subject.  


For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and process the complaint.
For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and handle the complaint.


== Comment ==
== Comment ==
''Share your comments here!''
The judgement of the ''Audiencia Nacional'' is in line with several decisions of European data protection authorities ([[DSB (Austria) - 2022-0.277.156|Austria]], [[CNIL (France) - SAN-2022-019|France]], [[HDPA (Greece) - 35/2022|Greece]], [[Garante per la protezione dei dati personali (Italy) - 9751362|Italy]], [https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/05/ico-fines-facial-recognition-database-company-clearview-ai-inc/ UK]). It corrects the AEPD's stance and, indirectly, contributes to a uniform approach throughout the European Union (and beyond) regarding Clearview.


== Further Resources ==
== Further Resources ==
Line 105: Line 107:
== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
<pre>
Resource No.: 0002185/2021
                                NATIONAL AUDIENCE
                            Contentious-Administrative Chamber
                                        FIRST SECTION
                Resource No.: 0002185/2021
                Type of Appeal: ORDINARY PROCEDURE
                General Registry No.: 19167/2021
                Demanding: N.N
                Attorney: N.N
                Respondent: SPANISH DATA PROTECTION AGENCY
                State Attorney
                Speaker IImo. Mr.: N.N.
                                            S E N T E N C I A Nº:
                IImo. Mr. President:
                N.N.
                Ilmos. Messrs. Magistrates:
                N.N.
                N.N.
                N.N.
                  Madrid, June twenty-seven, two thousand twenty-four.
                  Seen by the Chamber, made up of the Magistrates related to the margin,
                the records of the contentious-administrative appeal number 2,185/21, filed by the
                Attorney of the Courts N.N., in the name and
                representation of N.N., against the resolution of 1
                September 2021 from the Director of the Spanish Data Protection Agency,
                which agreed to file the claim filed against Clearview AI
                INC., relapsed in file E/04461/2021. The ADMINISTRATION has been part
                OF THE STATE. The amount of the resource was set at undetermined.
                                                      1
                                                              Resource No.: 0002185/2021
                            FACTUAL BACKGROUND
    FIRST.- The appeal is admitted and the appropriate procedures have been carried out
procedural matters, transfer was granted to the plaintiff so that, within the term of
twenty days to formalize the demand, which was carried out in writing
presented on December 20, 2021 in which, after presenting the facts and
foundations of law that he considered appropriate, he ended up requesting that a
judgment by which “WITH APPROVAL OF THIS APPEAL is annulled,
revoke and annul the appealed resolution and, consequently:
      (i) the AEPD is ordered to recognize its competence to resolve the
claim presented by my client and, consequently, proceed to the
processing it until its resolution; and
      (ii) the AEPD is ordered to proceed with the initiation of the procedures
administrative procedures that correspond to the imposition on Clearview of how many
Sanctions may be appropriate based on the aforementioned infractions.
of articles 6, 9, 14, 15 and 17 of the GDPR”.
    SECOND.- Once the demand was formalized, it was transferred to the party
defendant to respond within twenty days, which he did
through the pertinent writing, alleging the facts and legal bases that
deemed pertinent, requesting that “a ruling be issued declaring the
inadmissibility of this appeal or, alternatively, it is dismissed, confirming
the contested administrative act.”
    THIRD.- By Order of July 11, 2022, it was agreed to receive
proof of the appeal, admitting the documentary evidence proposed by the party
actor. And, there being no more evidence to perform, the period of ten days was granted
to the parties for the formulation of conclusions. Once presented the
corresponding writings, the actions were pending voting and ruling,
which was scheduled for June 25 of the current year, the date on which it took place.
    WITH THE EXHIBITION MAGISTRATE BEING SPEAKER. N.N.
                          FOUNDATIONS OF LAW
    FIRST.- The plaintiff challenges the resolution of September 1, 2021
of the Director of the Spanish Data Protection Agency, by which it was agreed
the file of the claim filed against Clearview AI INC., falling on the
file E/04461/2021.
                                                      2
                                                                  Resource No.: 0002185/2021
      From the data in the file, the following are proven
facts relevant to issuing the resolution at hand:
      A) Clearview AI INC. is a company based in the United States of
America founded in 2017, facial recognition platform that allows users
Users upload an image of a person's face and track, based on the
physical match, other photos of that person's face collected from the Internet.
In his own words, the platform “includes the largest database
known from more than ten billion facial images from sources
public-only websites, including media outlets, mugshot websites,
public social networks and other open sources.”
    B) On February 14, 2020, the appellant here requested Clearview to exercise,
among others, access rights (art. 15 of Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to data processing
personal data and the free circulation of these data, hereinafter RGPD), and opposition
(art. 21 of the GDPR), with respect to personal data processed by the latter as
data controller on the basis of art. 14.1 c) of the GDPR. For this, it
addressed to the email address privacy@clearview.ai indicated for this purpose
by Clearview on their website https://www.clearview.ai/.
    C) Since the plaintiff did not receive a response, he repeated the request two more times.
of rights through the same system, on September 13, 2020 and 28
January 2021
      On January 29, 2021, Clearview urged the appellant to exercise his rights
through the form on the Web, which was done on January 30, 2021.
      D) Upon not receiving a response, on March 1, 2021, the plaintiff repeated, for
fifth time, the request to exercise your rights, this time through Email
electronic.
    On March 8, 2021, the appellant received an email from Clearview
urging you, again, to request the exercise of your rights through the form
included on the website
      E) The plaintiff presented a claim on March 10, 2021 against
Clearview AI INC. before the Spanish Data Protection Agency for infringement
of the arts. 15, 17 and 21 of the GDPR.
      F) On March 22, 2021, the appellant received a response from Clearview AI
INC. solely in response to your access request (art. 15 of the RGPD).
      G) Prior to the admission for processing of the claim presented,
It was transferred by the Spanish Data Protection Agency to
CLEARVIEW AI INC. to proceed with its analysis and respond to said
Agency within one month. Likewise, the requested report was requested on the
                                          3
                                                                Resource No.: 0002185/2021
causes that motivated the incident that occurred, and details of the measures adopted
to avoid similar situations. There is no record of receipt at the Agency of a
response to the transfer by the claimed entity.
    SECOND.- Firstly, we will analyze the cause of inadmissibility of art.
69.b) of the Law of Jurisdiction, raised by the legal representative of the
General Administration of the State, based on the lack of active legitimation of the
recurrent.
    To analyze this cause of inadmissibility, we must assume that the
Legitimation is an inexcusable presupposition of the process, providing for art. 19.1.a) of the
Law of Jurisdiction, which: “They are legitimized before the jurisdictional order
contentious-administrative: a) Natural or legal persons who hold a
right or legitimate interest.”
    In this sense, the Ruling of the Constitutional Court 52/2007, of 12
March, has specified that the legitimate interest, referred to in art. 24.1 of the
Constitution “is characterized as a univocal material relationship between the subject and the
object of the claim (challenged act or provision), in such a way that its
Override automatically produces a positive (benefit) or negative effect
(damage) current or future but certain, such relationship must be understood as referring to a
interest in its own sense, qualified and specific, current and real (not potential or
hypothetical). It is the potential ownership of an advantage or a utility
legal, not necessarily of patrimonial content, by the person exercising the
claim, which would materialize if this is successful. Or, what is the same, the interest
Legitimate is any legal advantage or utility derived from the intended reparation.
(SSTC 252/2000, of October 30, FJ 3; 173/2004, of October 18, FJ 3; and
73/2006, of March 13, FJ 4; in relation to a union, STC 28/2005, of 14
February, FJ 3)”.
      In the specific area of sanctioning procedures, it has been pointed out
in relation to legitimation in the Supreme Court Ruling of January 30
of 2001 - appeal no. 506/1998- that “the Chamber understands that the existence of
Legitimation is linked to a legitimate interest of the party that claims it,
being the key to determining whether or not that legitimate interest exists in the process of
challenge of a resolution... the information of whether the imposition of a sanction can
produce a positive effect on the legal sphere of the complainant or can eliminate a
burden or burden in that sphere, and it will be so, in each case, and depending on what
intended, as the appropriate answer to such a question can be given, not being
that the imposition of the sanction constitutes in itself the satisfaction of a
interest".
    More recently, in the field of data protection itself in which
we find ourselves, it is worth mentioning the Supreme Court Sentence of October 6,
2009 - appeal no. 4,712/2005 -, which states that “whoever reports facts that
considered to constitute a violation of data protection legislation.
of active standing to challenge through jurisdiction what the Agency resolves.
                                          4
                                                                Resource No.: 0002185/2021
This is clear from the rulings of this Chamber of November 6, 2007 and, with
even greater clarity, dated December 10, 2008.”
    The reason for said lack of legitimation lies, according to the aforementioned Judgment, in
that the complainant lacks the status of interested party in the procedure
sanctioning that can be initiated as a result of your complaint, since in the regulations of
data protection, that condition is not recognized. And as regards the
general principles of administrative sanctioning law, continues the aforementioned
Sentence “although on some occasions this Chamber has said that the complainant
can challenge the filing of the complaint by the Administration, it is not admitted that the
complainant can challenge the final administrative resolution. The crucial argument
in this matter is that the complainant, even when he considers himself
“victim” of the reported violation, does not have a subjective right or interest
legitimate for the accused to be punished. The punitive power belongs
only to the Administration that has been entrusted with the corresponding power
sanctioning authority - in this case, the Spanish Data Protection Agency - and therefore
Consequently, only the Administration has an interest protected by the legal system.
legal in which the offender is punished. It is true that things are not like that in the
criminal law itself, where popular action even exists, but this
It is because there are rules that expressly establish exceptions that do not
appear in administrative sanctioning law and, so now
specifically interested in data protection legislation. It's more:
Accepting the active standing of the complainant would not only lead to maintaining that
has an interest that the legal system does not recognize or protect, but rather
would also lead to transforming the contentious-administrative courts into a
type of appeal bodies in sanctioning matters. The latter would mean
accept that they can impose the administrative sanctions that the
Administration, which would clash with the so-called “reviewing nature” of the jurisdiction
administrative litigation.  In other words, the contentious courts
Administrative authorities can and must control the legality of administrative acts in
sanctioning matter; but they cannot replace the Administration in the exercise of
the sanctioning powers that the law entrusts to it.
    What has just been said must be clarified: the complainant of
a violation of data protection legislation lacks locus standi
to challenge the Agency's resolution regarding the result
sanctioner himself (imposition of a sanction, amount thereof, exculpation,
etc); but if necessary, it may have active legitimacy with respect to aspects
of the resolution other than the specifically sanctioning one, provided that, for
course, can show some genuine interest worthy of guardianship.”
    On the other hand, in the Supreme Court Ruling of June 9, 2014 -
resource no. 5.216/2011-, which states that: “The jurisprudence cited by the
contested ruling, as the basis for its decision to inadmiss the appeal
Due to lack of active standing of the appellant, it is made up of the
rulings of this Chamber of December 16, 2008 (recourse 6339/2004) and 6 of
October 2009 (resource 4712/2005), which fell on appeals that present
as a characteristic that, in the administrative process, after the filing of a
complaint, the AEPD carried out actions aimed at verifying the facts
                                          5
                                                                Resource No.: 0002185/2021
object of complaint, so that the decision to archive the file was
adopted by the AEPD after this investigative activity and verification of the
facts, and as a consequence of it.
    In this context that we have just explained, that is, in cases in which
The Administration had developed an investigation and verification action
of the facts reported, the rulings of this Chamber, cited by the ruling
appealed, made the statements that the complainant does not have a right
subjective nor a legitimate interest in having the accused person punished. Specifically, the
STS of December 15, 2008 declared that the complainant lacked standing
for the claim exercised in the appeal, which had been to force the
AEPD to sanction the entity reported for serious misconduct, and the STS of 29
September 2009 considered that the contested ruling had incurred
inconsistency, because the petition of the lawsuit was limited to requesting the annulment of the
resolution of the AEPD and the contested ruling went further and ordered retroaction
of actions in order to impose the corresponding administrative sanction.”
    The second claim contained in the application's request says: “(ii)
order the AEPD to proceed with the initiation of administrative procedures
that correspond to the imposition on Clearview of any sanctions that may be
appropriate on the basis of the aforementioned violations of articles 6, 9,
14, 15 and 17 of the GDPR”.
      Thus, the appellant in said claim requests the exercise of
sanctioning power for non-compliance with data protection regulations,
His legitimacy to challenge the Agency's decision is not proven, since
As indicated in the Supreme Court Ruling of February 1, 2018 - appeal no.
2,368/2016-: “The claim to defend legality ---regardless of its
regulation in the field of criminal law---requires, in the field that affects us,
administrative law, of a specific and concrete authorization that is not perceived
nor is it accredited in the matter of the protection of personal data, and must
Remember that the punitive power belongs solely to the Administration, which is
who is entrusted with the corresponding sanctioning power --- in this case,
the Spanish Data Protection Agency--, and, consequently, only the
Administration has an interest protected by the legal system in which the
offender be punished; The opposite would imply replacing the Administration in the
exercise of sanctioning power.”
      In short, in view of the above, the actor lacks both a right
subjective as well as a legitimate interest in the success of the claim we are
analyzing, so it is inadmissible under art. 69. b) of the Law of
the Jurisdiction.
    But in the case at hand, it is also intended that the Agency
Spanish Data Protection Authority recognizes its competence to resolve the
claim presented by the appellant and, consequently, the
processing it until its resolution.
                                          6
                                                                Resource No.: 0002185/2021
      Well, in relation to said claim, if the plaintiff is found
actively legitimized to challenge the resolution issued in a procedure of
protection of rights, which inadmisses the claim made by them via
administrative, since it includes that specific suitability that derives from the
underlying problem to be discussed in this resource. Criterion that is followed by this
Section in the Judgments of November 16, 2011 - appeal no. 413/2010-, of
May 17, 2012 - appeal no. 406/2010 -, and March 8, 2019 -resource no.
165/2018-, among others.
    Therefore, we will now analyze the aforementioned claim.
      THIRD.- In the appealed resolution, the plaintiff's claim is filed against
be excluded from the scope of application of the RGPD, based on the following: “In this
case, although it is true that, to offer the service, the search engine reads and
stores millions of photographs publicly accessible over the Internet –
many of which correspond to European residents – the conditions for
that a processing carried out by a controller outside the Union (in this case, in
U.S.) is covered by the GDPR are that the activities associated with it
are related to the offer of goods or services to said interested parties in the
Union, as determined by art. 3.2.a) of the RGPD, or that are related to the control
of their behavior, as provided in article 3.2.b) of the RGPD. Circumstances
that do not occur in this case.”
    The actor alleges that the Spanish Data Protection Agency is competent
to process your claim based on art. 3.2.b) of the RGPD. Clearview is said to
not only processes personal data, but also processes special categories of
personal data of art. 9 of the GDPR. It is clear that recital 51
of the GDPR makes it explicit that the processing of photographs is not considered
systematically processing special data, as it is not understood that the
image is de facto biometric data, unless, as is the case, “the fact of
be treated with specific technical means allowing the identification or
univocal authentication of a natural person.
    It is argued that by indicating that the GDPR applies to activities of
treatment related to "behavioral control", art. 3.2.b) of the
GDPR implies that any data controller or data controller
later worldwide that tracks European users in a way
identified or identifiable person would be carrying out treatment activities under the
scope of the GDPR. It is added that the GDPR covers any form of tracking in
Internet that, in terms of its intensity, is equivalent to a "surveillance" of the
interested parties, and that the monitoring of interested parties on the Internet through
comparison of biometric data, as carried out by Clearview, would already determine the
scope of art. 3.2.b) of the RGPD.
    In this regard, the Court is informed in the application of the
conclusions reached, in this sense, by other authorities for the protection of
international data, including many in the European Union. This is how they refer to
                                        7
                                                                Resource No.: 0002185/2021
cases from the United Kingdom, Hamburg, Holland, France. And in the written conclusions
Reference is made to cases from Greece and Italy.
    Finally, it is alluded to that the appealed resolution incurs arbitrariness and lack
of motivation as a consequence of hardly carrying out checks on the
responsibility of Clearview and to obviate past non-compliance.
      FOURTH.- The art. 3.2.b) of the RGPD, on which the plaintiff relies to determine
the competence of the Spanish Data Protection Agency, provides: “The
This Regulation applies to the processing of personal data of interested parties
residing in the Union by a person responsible or in charge not established in
the Union, when the processing activities are related to: …. b) the
control of their behavior, to the extent that this takes place in the Union.”
    For its part, recital 24 of the aforementioned RGPD states: “(24) The treatment
of personal data of interested parties residing in the Union by a controller
or processor not established in the Union should also be the subject of this
Regulation when related to the observation of the behavior of
said interested parties to the extent that this behavior takes place in the
Union. To determine whether a treatment activity can be considered
controls the behavior of the interested parties, it must be evaluated whether the people
Physical data are tracked on the Internet, including potential subsequent use
of personal data processing techniques that consist of the preparation of
a profile of a natural person for the purpose, in particular, of making decisions about
him or to analyze or predict his personal preferences, behaviors and
attitudes.”
    While art. 4 of the GDPR defines “profiling” as “any
form of automated processing of personal data consisting of using data
personal to evaluate certain personal aspects of a natural person,
in particular to analyze or predict aspects related to professional performance,
economic situation, health, personal preferences, interests, reliability,
behavior, location or movements of said natural person.”
    Thus, in resolution No. MED-2021-134, of November 26,
2021from the National Commission for Information Technologies and Freedoms
Public Authorities of France, in relation to the entity Clearview AI INC., and the application of the
art. 3.2.b) of the GDPR, it says: “First of all, the processing in question leads to
creating a behavioral profile of all people whose data is collected
they collect
    From the relevant information, provided within the framework of cooperation between the
supervisory authorities, it follows that the tool in question allows
generate, from a photograph, a search result that contains all the
photographs with a biometric model close enough to said photograph.
This search result includes all photographs in which the
face of a person and that have been collected by the company, subject to a
margin of technical error.
                                          8
                                                                Resource No.: 0002185/2021
    The profile thus created, relating to a person, is made up of photographs, but
also the URL address of all the web pages on which they are located
these photographs. However, the linking of photographs and the context in which
presented on a website allows you to collect a lot of information about a
person, their habits or preferences. Regarding social networks in
particular, it is very likely that a photograph and the original URL of this photograph
identify the account of the person in question. Photographs can also
have been published online to illustrate a press or blog article, therefore
which is likely to contain accurate information about the person concerned and,
therefore, elements related to its behavior.
    Additionally, images may contain metadata, such as image metadata.
geolocation, which are also included in the search result and are
can be used to complete a person's profile.
    This search result also allows you to identify the behavior of
a person on the Internet, by analyzing the information that person has
chosen to put online, as well as its context. Indeed, the publication of photographs
online constitutes in itself a behavior of the affected person, since
reflects options about the level of exposure you want to give to elements of your
private or professional life.
    Therefore, it is appropriate to consider that the search result associated
A photograph must be classified, at least partially, as a profile of
behavior of the person in question, to the extent that it contains a
large amount of information relating to said person and, in particular, his
behavior. Even when the purpose of the treatment itself is not the control of the
behavior, the means used to enable the identification system
biometrics from the company Clearview involve the creation of such a profile, and may
treatment to be considered “linked to behavioral monitoring”
of the affected people.
    Secondly, the automated data processing that allows the
creation of said behavioral profile and its availability to people who
queries in the company's search engine should be classified as
tracking on the Internet.
      Indeed, the very purpose of the tool marketed by Clearview
is to be able to identify and collect certain information related to a person. The
implementation of the different stages of processing described above,
and in particular biometric techniques to distinguish an individual, lead to the
creating a behavioral profile. However, this profile is created in
response to a search carried out by a person and relating to a person who
appears in a photograph.
    Additionally, the search can be renewed over time, allowing you to see a
evolution of information relating to a person, especially when compared
the results of successive searches. In fact, since the database is
updated periodically, successive searches allow us to follow the evolution of
a profile over time.”
    And the conclusion is reached that the treatment carried out in this way is linked
to monitoring the behavior of the interested parties in the sense of the
provisions of art. 3.2.b) of the RGPD and falls within the territorial scope of the RGPD.
                                          9
                                                                Resource No.: 0002185/2021
    On the other hand, the Italian Data Protection Authority, by the resolution of
March 9, 2022, after discovering that what amounted to
biometric control also of people in Italian territory, fined the company
American Clearview AI with 20 million euros, as well as ordered the aforementioned
company to delete data relating to natural persons in Italy. banned
any other collection and processing of data through the system
facial recognition of the company, and to appoint a representative in the EU
to contact, in addition to the data controller based in the USA or in
instead of it, in order to facilitate the exercise of the rights of the interested parties.
    Well, in light of the above, the Chamber agrees with what
exposed, in the sense that the Spanish Data Protection Agency has
jurisdiction to hear the appellant's claim against the company
Clearview, the GDPR being applicable based on art. 3.2.b) of the aforementioned Regulation,
It should be added that the aforementioned provision does not require that the treatment be carried out
carried out in order to control people's behavior, but simply
“linked” to him.
    Consequently, in light of the foregoing, the appeal must be upheld.
contentious-administrative in relation to the claim that we have just stated
examine, and the aforementioned appeal must be partially upheld.
    FIFTH.- In accordance with art. 139.1 of the Law of Jurisdiction, when estimated in
party the contentious-administrative appeal, each party will pay the costs incurred
at his request and the common ones in half.
    HAVING SEEN the cited articles, and others of general and pertinent application.
    WE FAIL: In relation to the contentious-administrative appeal filed
by the Attorney General of the Courts N.N., in the name and
representation of N.N., against the resolution of 1
September 2021 from the Director of the Spanish Data Protection Agency,
which agreed to file the claim filed against Clearview AI
INC., relapse in file E/04461/2021:
    1st. The inadmissibility of the aforementioned appeal is declared by application of art. 69.b)
of the Law of Jurisdiction regarding the second of the claims contained in
the request of the demand.
    2nd.- The appeal is upheld in relation to the first claim of the petition of the
lawsuit, declaring the nullity of the appealed resolution for not being in accordance with
right, and the Spanish Data Protection Agency must admit the
the appellant's claim and process it.
                                          10
                                                                  Resource No.: 0002185/2021
    3º- Without making a special statement on the procedural costs.
    This ruling is subject to appeal, which must be
prepare before this Court within a period of 30 days counted from the day following that of
your notification; In the document preparing the appeal, the
compliance with the requirements established in art. 89.2 of the Law of the
Jurisdiction justifying the objective cassational interest that it presents.
    Thus, by this our Sentence, we pronounce it, we order and we sign.
</pre>

Latest revision as of 12:30, 17 July 2024

AN - 2185/2021 (Appeal number - Número de Recurso)
Courts logo1.png
Court: AN (Spain)
Jurisdiction: Spain
Relevant Law: Article 3(2)(b) GDPR
Ley 29/1998, de 13 de julio, reguladora de la Jurisdicción Contencioso-administrativa
Decided: 27.06.2024
Published:
Parties: AEPD
National Case Number/Name: 2185/2021 (Appeal number - Número de Recurso)
European Case Law Identifier:
Appeal from: AEPD (Spain)
E/04461/2021
Appeal to: Unknown
Original Language(s): Spanish
Original Source: Audiencia Nacional - Sala de lo Contencioso-Administrativo (in Spanish)
Initial Contributor: lm

The Court found the Spanish DPA competent to resolve a complaint against US-based Clearview AI, and thus ordered the DPA to admit and process the complaint.

English Summary

Facts

Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images.

In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form.

On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of Article 3(2) GDPR. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case.

The data subject initiated proceedings before the Administrative Chamber of Spain’s Audiencia Nacional (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data surveilling their behaviour, bringing it within the scope of Article 3(2)(b) GDPR. Specifically, the data subject claimed that the controller processed photographs “through specific technical means allowing the unique identification or authentication of a natural person”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s decision be annulled and that the Court:

  1. Order the AEPD to recognize its competence to resolve the complaint and that, in consequence, the complaint be dealt with.
  2. Order the AEPD to initiate sanctioning proceedings for infringements of Articles 6, 9, 14, 15 and 17 GDPR.

Holding

The Court partially upheld the appeal. In relation to the first request, it found that the Spanish DPA was competent to resolve the complaint under the GDPR. Therefore, it must admit and handle the data subject’s complaint. The Court declared the second request inadmissible because the data subject did not have a subjective right nor a legitimate interest to request the Court to order a DPA to sanction a controller.

Request to Order the AEPD to Initiate Sanctioning Proceedings

The Court declared the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings inadmissible.

The Court reiterated the jurisprudence of the Tribunal Supremo (Supreme Court) noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. In data protection matters the sanctioning power is entrusted solely to the public administration – in this case, the AEPD. As a result, data subjects cannot challenge DPA decisions in a sanctioning procedure, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. Administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration (among others, Judgement of the Supreme Court of 6 October 2009, no. 4.712/2005).

Because of this reasoning, the Court declared the request inadmissible.

Request to Order the AEPD to Resolve the Complaint

In contrast to its previous findings, the Court held that a data subject can challenge a decision issued in a procedure for the protection of rights where an authority does not admit the complaint filed. It found that the AEPD was competent and is, thus, obligated to handle the complaint.

The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, falls within the scope of Article 3(2)(b) GDPR. According to the Court, Article 3(2)(b) GDPR does not mean that processing must have the purpose of controlling the behavior of the data subjects; it only requires that the processing be ‘linked’ to such a purpose.

In particular, the Court relied heavily on the French DPA’s (CNIL) decision of 26 November 2021, in which it identified Clearview as falling within the scope of Article 3(2)(b) GDPR. The CNIL had considered the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. According to the CNIL, Clearview's services allow for identifying, finding information on and creating a detailed profile about an individual. It can therefore be considered to be related to the monitoring of the behaviour of data subjects. The Court also noted that the Italian DPA (Garante) had fined Clearview AI € 20 million, prohibited further processing and ordered it to designate a representative in the EU. The Court agreed with the CNIL and the Garante that the processing falls within the scope of the GDPR and that the AEPD is thus competent to resolve the complaint of the data subject.

For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and handle the complaint.

Comment

The judgement of the Audiencia Nacional is in line with several decisions of European data protection authorities (Austria, France, Greece, Italy, UK). It corrects the AEPD's stance and, indirectly, contributes to a uniform approach throughout the European Union (and beyond) regarding Clearview.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Resource No.: 0002185/2021





                                NATIONAL AUDIENCE



                            Contentious-Administrative Chamber

                                         FIRST SECTION




                Resource No.: 0002185/2021
                Type of Appeal: ORDINARY PROCEDURE
                General Registry No.: 19167/2021
                Demanding: N.N
                Attorney: N.N

                Respondent: SPANISH DATA PROTECTION AGENCY
                State Attorney


                Speaker IImo. Mr.: N.N.





                                            S E N T E N C I A Nº:






                 IImo. Mr. President:
                 N.N.


                 Ilmos. Messrs. Magistrates:
                 N.N.
                 N.N.
                 N.N.



                   Madrid, June twenty-seven, two thousand twenty-four.


                   Seen by the Chamber, made up of the Magistrates related to the margin,
                the records of the contentious-administrative appeal number 2,185/21, filed by the
                Attorney of the Courts N.N., in the name and
                representation of N.N., against the resolution of 1

                September 2021 from the Director of the Spanish Data Protection Agency,
                which agreed to file the claim filed against Clearview AI
                INC., relapsed in file E/04461/2021. The ADMINISTRATION has been part
                OF THE STATE. The amount of the resource was set at undetermined.






                                                       1






                                                               Resource No.: 0002185/2021




                            FACTUAL BACKGROUND



    FIRST.- The appeal is admitted and the appropriate procedures have been carried out
procedural matters, transfer was granted to the plaintiff so that, within the term of
twenty days to formalize the demand, which was carried out in writing

presented on December 20, 2021 in which, after presenting the facts and
foundations of law that he considered appropriate, he ended up requesting that a
judgment by which “WITH APPROVAL OF THIS APPEAL is annulled,
revoke and annul the appealed resolution and, consequently:
      (i) the AEPD is ordered to recognize its competence to resolve the

claim presented by my client and, consequently, proceed to the
processing it until its resolution; and
      (ii) the AEPD is ordered to proceed with the initiation of the procedures
administrative procedures that correspond to the imposition on Clearview of how many
Sanctions may be appropriate based on the aforementioned infractions.

of articles 6, 9, 14, 15 and 17 of the GDPR”.


     SECOND.- Once the demand was formalized, it was transferred to the party

defendant to respond within twenty days, which he did
through the pertinent writing, alleging the facts and legal bases that
deemed pertinent, requesting that “a ruling be issued declaring the
inadmissibility of this appeal or, alternatively, it is dismissed, confirming
the contested administrative act.”



    THIRD.- By Order of July 11, 2022, it was agreed to receive
proof of the appeal, admitting the documentary evidence proposed by the party
actor. And, there being no more evidence to perform, the period of ten days was granted

to the parties for the formulation of conclusions. Once presented the
corresponding writings, the actions were pending voting and ruling,
which was scheduled for June 25 of the current year, the date on which it took place.



     WITH THE EXHIBITION MAGISTRATE BEING SPEAKER. N.N.


                           FOUNDATIONS OF LAW



     FIRST.- The plaintiff challenges the resolution of September 1, 2021
of the Director of the Spanish Data Protection Agency, by which it was agreed

the file of the claim filed against Clearview AI INC., falling on the
file E/04461/2021.


                                                       2



                                                                  Resource No.: 0002185/2021



      From the data in the file, the following are proven
facts relevant to issuing the resolution at hand:


      A) Clearview AI INC. is a company based in the United States of
America founded in 2017, facial recognition platform that allows users
Users upload an image of a person's face and track, based on the
physical match, other photos of that person's face collected from the Internet.

In his own words, the platform “includes the largest database
known from more than ten billion facial images from sources
public-only websites, including media outlets, mugshot websites,
public social networks and other open sources.”


     B) On February 14, 2020, the appellant here requested Clearview to exercise,
among others, access rights (art. 15 of Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to data processing
personal data and the free circulation of these data, hereinafter RGPD), and opposition

(art. 21 of the GDPR), with respect to personal data processed by the latter as
data controller on the basis of art. 14.1 c) of the GDPR. For this, it
addressed to the email address privacy@clearview.ai indicated for this purpose
by Clearview on their website https://www.clearview.ai/.


     C) Since the plaintiff did not receive a response, he repeated the request two more times.
of rights through the same system, on September 13, 2020 and 28
January 2021


      On January 29, 2021, Clearview urged the appellant to exercise his rights
through the form on the Web, which was done on January 30, 2021.

      D) Upon not receiving a response, on March 1, 2021, the plaintiff repeated, for
fifth time, the request to exercise your rights, this time through Email

electronic.

     On March 8, 2021, the appellant received an email from Clearview
urging you, again, to request the exercise of your rights through the form
included on the website


      E) The plaintiff presented a claim on March 10, 2021 against
Clearview AI INC. before the Spanish Data Protection Agency for infringement
of the arts. 15, 17 and 21 of the GDPR.


      F) On March 22, 2021, the appellant received a response from Clearview AI
INC. solely in response to your access request (art. 15 of the RGPD).

      G) Prior to the admission for processing of the claim presented,

It was transferred by the Spanish Data Protection Agency to
CLEARVIEW AI INC. to proceed with its analysis and respond to said
Agency within one month. Likewise, the requested report was requested on the




                                           3





                                                                 Resource No.: 0002185/2021



causes that motivated the incident that occurred, and details of the measures adopted
to avoid similar situations. There is no record of receipt at the Agency of a

response to the transfer by the claimed entity.


     SECOND.- Firstly, we will analyze the cause of inadmissibility of art.
69.b) of the Law of Jurisdiction, raised by the legal representative of the

General Administration of the State, based on the lack of active legitimation of the
recurrent.

     To analyze this cause of inadmissibility, we must assume that the
Legitimation is an inexcusable presupposition of the process, providing for art. 19.1.a) of the

Law of Jurisdiction, which: “They are legitimized before the jurisdictional order
contentious-administrative: a) Natural or legal persons who hold a
right or legitimate interest.”

     In this sense, the Ruling of the Constitutional Court 52/2007, of 12

March, has specified that the legitimate interest, referred to in art. 24.1 of the
Constitution “is characterized as a univocal material relationship between the subject and the
object of the claim (challenged act or provision), in such a way that its
Override automatically produces a positive (benefit) or negative effect

(damage) current or future but certain, such relationship must be understood as referring to a
interest in its own sense, qualified and specific, current and real (not potential or
hypothetical). It is the potential ownership of an advantage or a utility
legal, not necessarily of patrimonial content, by the person exercising the
claim, which would materialize if this is successful. Or, what is the same, the interest

Legitimate is any legal advantage or utility derived from the intended reparation.
(SSTC 252/2000, of October 30, FJ 3; 173/2004, of October 18, FJ 3; and
73/2006, of March 13, FJ 4; in relation to a union, STC 28/2005, of 14
February, FJ 3)”.


      In the specific area of sanctioning procedures, it has been pointed out
in relation to legitimation in the Supreme Court Ruling of January 30
of 2001 - appeal no. 506/1998- that “the Chamber understands that the existence of
Legitimation is linked to a legitimate interest of the party that claims it,
being the key to determining whether or not that legitimate interest exists in the process of

challenge of a resolution... the information of whether the imposition of a sanction can
produce a positive effect on the legal sphere of the complainant or can eliminate a
burden or burden in that sphere, and it will be so, in each case, and depending on what
intended, as the appropriate answer to such a question can be given, not being
that the imposition of the sanction constitutes in itself the satisfaction of a

interest".

     More recently, in the field of data protection itself in which
we find ourselves, it is worth mentioning the Supreme Court Sentence of October 6,

2009 - appeal no. 4,712/2005 -, which states that “whoever reports facts that
considered to constitute a violation of data protection legislation.
of active standing to challenge through jurisdiction what the Agency resolves.




                                          4





                                                                Resource No.: 0002185/2021



This is clear from the rulings of this Chamber of November 6, 2007 and, with
even greater clarity, dated December 10, 2008.”


     The reason for said lack of legitimation lies, according to the aforementioned Judgment, in
that the complainant lacks the status of interested party in the procedure
sanctioning that can be initiated as a result of your complaint, since in the regulations of
data protection, that condition is not recognized. And as regards the
general principles of administrative sanctioning law, continues the aforementioned

Sentence “although on some occasions this Chamber has said that the complainant
can challenge the filing of the complaint by the Administration, it is not admitted that the
complainant can challenge the final administrative resolution. The crucial argument
in this matter is that the complainant, even when he considers himself
“victim” of the reported violation, does not have a subjective right or interest

legitimate for the accused to be punished. The punitive power belongs
only to the Administration that has been entrusted with the corresponding power
sanctioning authority - in this case, the Spanish Data Protection Agency - and therefore
Consequently, only the Administration has an interest protected by the legal system.
legal in which the offender is punished. It is true that things are not like that in the
criminal law itself, where popular action even exists, but this

It is because there are rules that expressly establish exceptions that do not
appear in administrative sanctioning law and, so now
specifically interested in data protection legislation. It's more:
Accepting the active standing of the complainant would not only lead to maintaining that
has an interest that the legal system does not recognize or protect, but rather

would also lead to transforming the contentious-administrative courts into a
type of appeal bodies in sanctioning matters. The latter would mean
accept that they can impose the administrative sanctions that the
Administration, which would clash with the so-called “reviewing nature” of the jurisdiction
administrative litigation.  In other words, the contentious courts

Administrative authorities can and must control the legality of administrative acts in
sanctioning matter; but they cannot replace the Administration in the exercise of
the sanctioning powers that the law entrusts to it.
     What has just been said must be clarified: the complainant of
a violation of data protection legislation lacks locus standi

to challenge the Agency's resolution regarding the result
sanctioner himself (imposition of a sanction, amount thereof, exculpation,
etc); but if necessary, it may have active legitimacy with respect to aspects
of the resolution other than the specifically sanctioning one, provided that, for
course, can show some genuine interest worthy of guardianship.”


     On the other hand, in the Supreme Court Ruling of June 9, 2014 -
resource no. 5.216/2011-, which states that: “The jurisprudence cited by the
contested ruling, as the basis for its decision to inadmiss the appeal
Due to lack of active standing of the appellant, it is made up of the

rulings of this Chamber of December 16, 2008 (recourse 6339/2004) and 6 of
October 2009 (resource 4712/2005), which fell on appeals that present
as a characteristic that, in the administrative process, after the filing of a
complaint, the AEPD carried out actions aimed at verifying the facts




                                          5





                                                                Resource No.: 0002185/2021



object of complaint, so that the decision to archive the file was
adopted by the AEPD after this investigative activity and verification of the

facts, and as a consequence of it.
     In this context that we have just explained, that is, in cases in which
The Administration had developed an investigation and verification action
of the facts reported, the rulings of this Chamber, cited by the ruling
appealed, made the statements that the complainant does not have a right

subjective nor a legitimate interest in having the accused person punished. Specifically, the
STS of December 15, 2008 declared that the complainant lacked standing
for the claim exercised in the appeal, which had been to force the
AEPD to sanction the entity reported for serious misconduct, and the STS of 29
September 2009 considered that the contested ruling had incurred

inconsistency, because the petition of the lawsuit was limited to requesting the annulment of the
resolution of the AEPD and the contested ruling went further and ordered retroaction
of actions in order to impose the corresponding administrative sanction.”

     The second claim contained in the application's request says: “(ii)

order the AEPD to proceed with the initiation of administrative procedures
that correspond to the imposition on Clearview of any sanctions that may be
appropriate on the basis of the aforementioned violations of articles 6, 9,
14, 15 and 17 of the GDPR”.


      Thus, the appellant in said claim requests the exercise of
sanctioning power for non-compliance with data protection regulations,
His legitimacy to challenge the Agency's decision is not proven, since
As indicated in the Supreme Court Ruling of February 1, 2018 - appeal no.

2,368/2016-: “The claim to defend legality ---regardless of its
regulation in the field of criminal law---requires, in the field that affects us,
administrative law, of a specific and concrete authorization that is not perceived
nor is it accredited in the matter of the protection of personal data, and must
Remember that the punitive power belongs solely to the Administration, which is

who is entrusted with the corresponding sanctioning power --- in this case,
the Spanish Data Protection Agency--, and, consequently, only the
Administration has an interest protected by the legal system in which the
offender be punished; The opposite would imply replacing the Administration in the
exercise of sanctioning power.”


      In short, in view of the above, the actor lacks both a right
subjective as well as a legitimate interest in the success of the claim we are
analyzing, so it is inadmissible under art. 69. b) of the Law of
the Jurisdiction.


     But in the case at hand, it is also intended that the Agency
Spanish Data Protection Authority recognizes its competence to resolve the
claim presented by the appellant and, consequently, the

processing it until its resolution.






                                          6





                                                                Resource No.: 0002185/2021



      Well, in relation to said claim, if the plaintiff is found
actively legitimized to challenge the resolution issued in a procedure of
protection of rights, which inadmisses the claim made by them via

administrative, since it includes that specific suitability that derives from the
underlying problem to be discussed in this resource. Criterion that is followed by this
Section in the Judgments of November 16, 2011 - appeal no. 413/2010-, of
May 17, 2012 - appeal no. 406/2010 -, and March 8, 2019 -resource no.
165/2018-, among others.


     Therefore, we will now analyze the aforementioned claim.


      THIRD.- In the appealed resolution, the plaintiff's claim is filed against

be excluded from the scope of application of the RGPD, based on the following: “In this
case, although it is true that, to offer the service, the search engine reads and
stores millions of photographs publicly accessible over the Internet –
many of which correspond to European residents – the conditions for
that a processing carried out by a controller outside the Union (in this case, in
U.S.) is covered by the GDPR are that the activities associated with it

are related to the offer of goods or services to said interested parties in the
Union, as determined by art. 3.2.a) of the RGPD, or that are related to the control
of their behavior, as provided in article 3.2.b) of the RGPD. Circumstances
that do not occur in this case.”


     The actor alleges that the Spanish Data Protection Agency is competent
to process your claim based on art. 3.2.b) of the RGPD. Clearview is said to
not only processes personal data, but also processes special categories of
personal data of art. 9 of the GDPR. It is clear that recital 51
of the GDPR makes it explicit that the processing of photographs is not considered

systematically processing special data, as it is not understood that the
image is de facto biometric data, unless, as is the case, “the fact of
be treated with specific technical means allowing the identification or
univocal authentication of a natural person.


     It is argued that by indicating that the GDPR applies to activities of
treatment related to "behavioral control", art. 3.2.b) of the
GDPR implies that any data controller or data controller
later worldwide that tracks European users in a way
identified or identifiable person would be carrying out treatment activities under the

scope of the GDPR. It is added that the GDPR covers any form of tracking in
Internet that, in terms of its intensity, is equivalent to a "surveillance" of the
interested parties, and that the monitoring of interested parties on the Internet through
comparison of biometric data, as carried out by Clearview, would already determine the
scope of art. 3.2.b) of the RGPD.


     In this regard, the Court is informed in the application of the
conclusions reached, in this sense, by other authorities for the protection of
international data, including many in the European Union. This is how they refer to




                                         7





                                                                 Resource No.: 0002185/2021



cases from the United Kingdom, Hamburg, Holland, France. And in the written conclusions
Reference is made to cases from Greece and Italy.


     Finally, it is alluded to that the appealed resolution incurs arbitrariness and lack
of motivation as a consequence of hardly carrying out checks on the
responsibility of Clearview and to obviate past non-compliance.



      FOURTH.- The art. 3.2.b) of the RGPD, on which the plaintiff relies to determine
the competence of the Spanish Data Protection Agency, provides: “The
This Regulation applies to the processing of personal data of interested parties
residing in the Union by a person responsible or in charge not established in
the Union, when the processing activities are related to: …. b) the

control of their behavior, to the extent that this takes place in the Union.”

     For its part, recital 24 of the aforementioned RGPD states: “(24) The treatment
of personal data of interested parties residing in the Union by a controller
or processor not established in the Union should also be the subject of this
Regulation when related to the observation of the behavior of

said interested parties to the extent that this behavior takes place in the
Union. To determine whether a treatment activity can be considered
controls the behavior of the interested parties, it must be evaluated whether the people
Physical data are tracked on the Internet, including potential subsequent use
of personal data processing techniques that consist of the preparation of

a profile of a natural person for the purpose, in particular, of making decisions about
him or to analyze or predict his personal preferences, behaviors and
attitudes.”

     While art. 4 of the GDPR defines “profiling” as “any

form of automated processing of personal data consisting of using data
personal to evaluate certain personal aspects of a natural person,
in particular to analyze or predict aspects related to professional performance,
economic situation, health, personal preferences, interests, reliability,
behavior, location or movements of said natural person.”


     Thus, in resolution No. MED-2021-134, of November 26,
2021from the National Commission for Information Technologies and Freedoms
Public Authorities of France, in relation to the entity Clearview AI INC., and the application of the
art. 3.2.b) of the GDPR, it says: “First of all, the processing in question leads to

creating a behavioral profile of all people whose data is collected
they collect
     From the relevant information, provided within the framework of cooperation between the
supervisory authorities, it follows that the tool in question allows
generate, from a photograph, a search result that contains all the

photographs with a biometric model close enough to said photograph.
This search result includes all photographs in which the
face of a person and that have been collected by the company, subject to a
margin of technical error.




                                          8 





                                                                 Resource No.: 0002185/2021



     The profile thus created, relating to a person, is made up of photographs, but
also the URL address of all the web pages on which they are located
these photographs. However, the linking of photographs and the context in which

presented on a website allows you to collect a lot of information about a
person, their habits or preferences. Regarding social networks in
particular, it is very likely that a photograph and the original URL of this photograph
identify the account of the person in question. Photographs can also
have been published online to illustrate a press or blog article, therefore

which is likely to contain accurate information about the person concerned and,
therefore, elements related to its behavior.
     Additionally, images may contain metadata, such as image metadata.
geolocation, which are also included in the search result and are
can be used to complete a person's profile.

     This search result also allows you to identify the behavior of
a person on the Internet, by analyzing the information that person has
chosen to put online, as well as its context. Indeed, the publication of photographs
online constitutes in itself a behavior of the affected person, since
reflects options about the level of exposure you want to give to elements of your
private or professional life.

     Therefore, it is appropriate to consider that the search result associated
A photograph must be classified, at least partially, as a profile of
behavior of the person in question, to the extent that it contains a
large amount of information relating to said person and, in particular, his
behavior. Even when the purpose of the treatment itself is not the control of the

behavior, the means used to enable the identification system
biometrics from the company Clearview involve the creation of such a profile, and may
treatment to be considered “linked to behavioral monitoring”
of the affected people.
     Secondly, the automated data processing that allows the

creation of said behavioral profile and its availability to people who
queries in the company's search engine should be classified as
tracking on the Internet.
      Indeed, the very purpose of the tool marketed by Clearview
is to be able to identify and collect certain information related to a person. The

implementation of the different stages of processing described above,
and in particular biometric techniques to distinguish an individual, lead to the
creating a behavioral profile. However, this profile is created in
response to a search carried out by a person and relating to a person who
appears in a photograph.

     Additionally, the search can be renewed over time, allowing you to see a
evolution of information relating to a person, especially when compared
the results of successive searches. In fact, since the database is
updated periodically, successive searches allow us to follow the evolution of
a profile over time.”


     And the conclusion is reached that the treatment carried out in this way is linked
to monitoring the behavior of the interested parties in the sense of the
provisions of art. 3.2.b) of the RGPD and falls within the territorial scope of the RGPD.




                                          9





                                                                 Resource No.: 0002185/2021




     On the other hand, the Italian Data Protection Authority, by the resolution of

March 9, 2022, after discovering that what amounted to
biometric control also of people in Italian territory, fined the company
American Clearview AI with 20 million euros, as well as ordered the aforementioned
company to delete data relating to natural persons in Italy. banned
any other collection and processing of data through the system

facial recognition of the company, and to appoint a representative in the EU
to contact, in addition to the data controller based in the USA or in
instead of it, in order to facilitate the exercise of the rights of the interested parties.

     Well, in light of the above, the Chamber agrees with what

exposed, in the sense that the Spanish Data Protection Agency has
jurisdiction to hear the appellant's claim against the company
Clearview, the GDPR being applicable based on art. 3.2.b) of the aforementioned Regulation,
It should be added that the aforementioned provision does not require that the treatment be carried out
carried out in order to control people's behavior, but simply

“linked” to him.

    Consequently, in light of the foregoing, the appeal must be upheld.
contentious-administrative in relation to the claim that we have just stated

examine, and the aforementioned appeal must be partially upheld.


     FIFTH.- In accordance with art. 139.1 of the Law of Jurisdiction, when estimated in
party the contentious-administrative appeal, each party will pay the costs incurred

at his request and the common ones in half.


     HAVING SEEN the cited articles, and others of general and pertinent application.



     WE FAIL: In relation to the contentious-administrative appeal filed
by the Attorney General of the Courts N.N., in the name and
representation of N.N., against the resolution of 1
September 2021 from the Director of the Spanish Data Protection Agency,

which agreed to file the claim filed against Clearview AI
INC., relapse in file E/04461/2021:

     1st. The inadmissibility of the aforementioned appeal is declared by application of art. 69.b)
of the Law of Jurisdiction regarding the second of the claims contained in

the request of the demand.

     2nd.- The appeal is upheld in relation to the first claim of the petition of the
lawsuit, declaring the nullity of the appealed resolution for not being in accordance with

right, and the Spanish Data Protection Agency must admit the
the appellant's claim and process it.





                                          10





                                                                  Resource No.: 0002185/2021




     3º- Without making a special statement on the procedural costs.


     This ruling is subject to appeal, which must be
prepare before this Court within a period of 30 days counted from the day following that of
your notification; In the document preparing the appeal, the

compliance with the requirements established in art. 89.2 of the Law of the
Jurisdiction justifying the objective cassational interest that it presents.


     Thus, by this our Sentence, we pronounce it, we order and we sign.