AN - 2185/2021: Difference between revisions
m (Wp moved page Audiencia Nacional - Sala Cont-Admtvo - 0002185/2021 to AN - 0002185/2021: wrong category assigned) |
|||
(10 intermediate revisions by 3 users not shown) | |||
Line 9: | Line 9: | ||
|Court_With_Country= AN (Spain) | |Court_With_Country= AN (Spain) | ||
|Case_Number_Name= | |Case_Number_Name=2185/2021 (Appeal number - Número de Recurso) | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=Audiencia Nacional - Sala | |Original_Source_Name_1=Audiencia Nacional - Sala de lo Contencioso-Administrativo | ||
|Original_Source_Link_1=https://gdprhub.eu/images/ | |Original_Source_Link_1=https://gdprhub.eu/images/4/41/0002185-2021_Redacted.pdf | ||
|Original_Source_Language_1=Spanish | |Original_Source_Language_1=Spanish | ||
|Original_Source_Language__Code_1=ES | |Original_Source_Language__Code_1=ES | ||
Line 21: | Line 21: | ||
|Original_Source_Language__Code_2= | |Original_Source_Language__Code_2= | ||
|Date_Decided= | |Date_Decided=27.06.2024 | ||
|Date_Published= | |Date_Published= | ||
|Year=2024 | |Year=2024 | ||
Line 69: | Line 69: | ||
=== Facts === | === Facts === | ||
Clearview AI Inc. (the controller) is a | Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images. | ||
In February 2020, September 2020 and January 2021, | In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form. | ||
On 10 March 2021 | On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of [[Article 3 GDPR#(2) Activity in the Union|Article 3(2) GDPR]]. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case. | ||
The data subject initiated proceedings before | The data subject initiated proceedings before the Administrative Chamber of Spain’s ''Audiencia Nacional'' (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data surveilling their behaviour, bringing it within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. Specifically, the data subject claimed that the controller processed photographs “''through specific technical means allowing the unique identification or authentication of a natural person''”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s decision be annulled and that the Court: | ||
# Order the AEPD to recognize its competence to resolve the complaint. | # Order the AEPD to recognize its competence to resolve the complaint and that, in consequence, the complaint be dealt with. | ||
# Order the AEPD to initiate sanctioning proceedings | # Order the AEPD to initiate sanctioning proceedings for infringements of Articles 6, 9, 14, 15 and 17 GDPR. | ||
=== Holding === | === Holding === | ||
The Court partially upheld | The Court partially upheld the appeal. In relation to the first request, it found that the Spanish DPA was competent to resolve the complaint under the GDPR. Therefore, it must admit and handle the data subject’s complaint. The Court declared the second request inadmissible because the data subject did not have a subjective right nor a legitimate interest to request the Court to order a DPA to sanction a controller. | ||
===== Request to Order the AEPD to Initiate Sanctioning Proceedings ===== | ===== Request to Order the AEPD to Initiate Sanctioning Proceedings ===== | ||
The Court | The Court declared the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings inadmissible. | ||
The Court reiterated the Supreme | The Court reiterated the jurisprudence of the ''Tribunal Supremo'' (Supreme Court) noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. In data protection matters the sanctioning power is entrusted solely to the public administration – in this case, the AEPD. As a result, data subjects cannot challenge DPA decisions in a sanctioning procedure, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. Administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration (among others, [https://www.poderjudicial.es/search/AN/openDocument/8da9e7069a81151f/20091022 Judgement of the Supreme Court of 6 October 2009, no. 4.712/2005]). | ||
Because of this reasoning, the Court declared the request inadmissible. | |||
===== Request to Order the AEPD to Resolve the Complaint ===== | ===== Request to Order the AEPD to Resolve the Complaint ===== | ||
In contrast to its previous findings, the Court held that a data subject can challenge a decision issued in a procedure for the protection of rights where an authority does not admit the complaint filed. It found that the AEPD was competent and is, thus, obligated to handle the complaint. | |||
The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, | The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, falls within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. According to the Court, [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]] does not mean that processing must have the purpose of controlling the behavior of the data subjects; it only requires that the processing be ‘linked’ to such a purpose. | ||
In particular, the Court relied heavily on the French DPA’s (CNIL) | In particular, the Court relied heavily on the [[CNIL (France) - MED-2021-134|French DPA’s (CNIL) decision of 26 November 2021]], in which it identified Clearview as falling within the scope of [[Article 3 GDPR#2b|Article 3(2)(b) GDPR]]. The CNIL had considered the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. According to the CNIL, Clearview's services allow for identifying, finding information on and creating a detailed profile about an individual. It can therefore be considered to be related to the monitoring of the behaviour of data subjects. The Court also noted that the [[Garante per la protezione dei dati personali (Italy) - 9751362|Italian DPA (Garante) had fined Clearview AI € 20 million]], prohibited further processing and ordered it to designate a representative in the EU. The Court agreed with the CNIL and the Garante that the processing falls within the scope of the GDPR and that the AEPD is thus competent to resolve the complaint of the data subject. | ||
For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and | For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and handle the complaint. | ||
== Comment == | == Comment == | ||
'' | The judgement of the ''Audiencia Nacional'' is in line with several decisions of European data protection authorities ([[DSB (Austria) - 2022-0.277.156|Austria]], [[CNIL (France) - SAN-2022-019|France]], [[HDPA (Greece) - 35/2022|Greece]], [[Garante per la protezione dei dati personali (Italy) - 9751362|Italy]], [https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/05/ico-fines-facial-recognition-database-company-clearview-ai-inc/ UK]). It corrects the AEPD's stance and, indirectly, contributes to a uniform approach throughout the European Union (and beyond) regarding Clearview. | ||
== Further Resources == | == Further Resources == | ||
Line 105: | Line 107: | ||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision == | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
<pre> | |||
Resource No.: 0002185/2021 | |||
NATIONAL AUDIENCE | |||
Contentious-Administrative Chamber | |||
FIRST SECTION | |||
Resource No.: 0002185/2021 | |||
Type of Appeal: ORDINARY PROCEDURE | |||
General Registry No.: 19167/2021 | |||
Demanding: N.N | |||
Attorney: N.N | |||
Respondent: SPANISH DATA PROTECTION AGENCY | |||
State Attorney | |||
Speaker IImo. Mr.: N.N. | |||
S E N T E N C I A Nº: | |||
IImo. Mr. President: | |||
N.N. | |||
Ilmos. Messrs. Magistrates: | |||
N.N. | |||
N.N. | |||
N.N. | |||
Madrid, June twenty-seven, two thousand twenty-four. | |||
Seen by the Chamber, made up of the Magistrates related to the margin, | |||
the records of the contentious-administrative appeal number 2,185/21, filed by the | |||
Attorney of the Courts N.N., in the name and | |||
representation of N.N., against the resolution of 1 | |||
September 2021 from the Director of the Spanish Data Protection Agency, | |||
which agreed to file the claim filed against Clearview AI | |||
INC., relapsed in file E/04461/2021. The ADMINISTRATION has been part | |||
OF THE STATE. The amount of the resource was set at undetermined. | |||
1 | |||
Resource No.: 0002185/2021 | |||
FACTUAL BACKGROUND | |||
FIRST.- The appeal is admitted and the appropriate procedures have been carried out | |||
procedural matters, transfer was granted to the plaintiff so that, within the term of | |||
twenty days to formalize the demand, which was carried out in writing | |||
presented on December 20, 2021 in which, after presenting the facts and | |||
foundations of law that he considered appropriate, he ended up requesting that a | |||
judgment by which “WITH APPROVAL OF THIS APPEAL is annulled, | |||
revoke and annul the appealed resolution and, consequently: | |||
(i) the AEPD is ordered to recognize its competence to resolve the | |||
claim presented by my client and, consequently, proceed to the | |||
processing it until its resolution; and | |||
(ii) the AEPD is ordered to proceed with the initiation of the procedures | |||
administrative procedures that correspond to the imposition on Clearview of how many | |||
Sanctions may be appropriate based on the aforementioned infractions. | |||
of articles 6, 9, 14, 15 and 17 of the GDPR”. | |||
SECOND.- Once the demand was formalized, it was transferred to the party | |||
defendant to respond within twenty days, which he did | |||
through the pertinent writing, alleging the facts and legal bases that | |||
deemed pertinent, requesting that “a ruling be issued declaring the | |||
inadmissibility of this appeal or, alternatively, it is dismissed, confirming | |||
the contested administrative act.” | |||
THIRD.- By Order of July 11, 2022, it was agreed to receive | |||
proof of the appeal, admitting the documentary evidence proposed by the party | |||
actor. And, there being no more evidence to perform, the period of ten days was granted | |||
to the parties for the formulation of conclusions. Once presented the | |||
corresponding writings, the actions were pending voting and ruling, | |||
which was scheduled for June 25 of the current year, the date on which it took place. | |||
WITH THE EXHIBITION MAGISTRATE BEING SPEAKER. N.N. | |||
FOUNDATIONS OF LAW | |||
FIRST.- The plaintiff challenges the resolution of September 1, 2021 | |||
of the Director of the Spanish Data Protection Agency, by which it was agreed | |||
the file of the claim filed against Clearview AI INC., falling on the | |||
file E/04461/2021. | |||
2 | |||
Resource No.: 0002185/2021 | |||
From the data in the file, the following are proven | |||
facts relevant to issuing the resolution at hand: | |||
A) Clearview AI INC. is a company based in the United States of | |||
America founded in 2017, facial recognition platform that allows users | |||
Users upload an image of a person's face and track, based on the | |||
physical match, other photos of that person's face collected from the Internet. | |||
In his own words, the platform “includes the largest database | |||
known from more than ten billion facial images from sources | |||
public-only websites, including media outlets, mugshot websites, | |||
public social networks and other open sources.” | |||
B) On February 14, 2020, the appellant here requested Clearview to exercise, | |||
among others, access rights (art. 15 of Regulation (EU) 2016/679 | |||
of the European Parliament and of the Council of 27 April 2016 on the | |||
protection of natural persons with regard to data processing | |||
personal data and the free circulation of these data, hereinafter RGPD), and opposition | |||
(art. 21 of the GDPR), with respect to personal data processed by the latter as | |||
data controller on the basis of art. 14.1 c) of the GDPR. For this, it | |||
addressed to the email address privacy@clearview.ai indicated for this purpose | |||
by Clearview on their website https://www.clearview.ai/. | |||
C) Since the plaintiff did not receive a response, he repeated the request two more times. | |||
of rights through the same system, on September 13, 2020 and 28 | |||
January 2021 | |||
On January 29, 2021, Clearview urged the appellant to exercise his rights | |||
through the form on the Web, which was done on January 30, 2021. | |||
D) Upon not receiving a response, on March 1, 2021, the plaintiff repeated, for | |||
fifth time, the request to exercise your rights, this time through Email | |||
electronic. | |||
On March 8, 2021, the appellant received an email from Clearview | |||
urging you, again, to request the exercise of your rights through the form | |||
included on the website | |||
E) The plaintiff presented a claim on March 10, 2021 against | |||
Clearview AI INC. before the Spanish Data Protection Agency for infringement | |||
of the arts. 15, 17 and 21 of the GDPR. | |||
F) On March 22, 2021, the appellant received a response from Clearview AI | |||
INC. solely in response to your access request (art. 15 of the RGPD). | |||
G) Prior to the admission for processing of the claim presented, | |||
It was transferred by the Spanish Data Protection Agency to | |||
CLEARVIEW AI INC. to proceed with its analysis and respond to said | |||
Agency within one month. Likewise, the requested report was requested on the | |||
3 | |||
Resource No.: 0002185/2021 | |||
causes that motivated the incident that occurred, and details of the measures adopted | |||
to avoid similar situations. There is no record of receipt at the Agency of a | |||
response to the transfer by the claimed entity. | |||
SECOND.- Firstly, we will analyze the cause of inadmissibility of art. | |||
69.b) of the Law of Jurisdiction, raised by the legal representative of the | |||
General Administration of the State, based on the lack of active legitimation of the | |||
recurrent. | |||
To analyze this cause of inadmissibility, we must assume that the | |||
Legitimation is an inexcusable presupposition of the process, providing for art. 19.1.a) of the | |||
Law of Jurisdiction, which: “They are legitimized before the jurisdictional order | |||
contentious-administrative: a) Natural or legal persons who hold a | |||
right or legitimate interest.” | |||
In this sense, the Ruling of the Constitutional Court 52/2007, of 12 | |||
March, has specified that the legitimate interest, referred to in art. 24.1 of the | |||
Constitution “is characterized as a univocal material relationship between the subject and the | |||
object of the claim (challenged act or provision), in such a way that its | |||
Override automatically produces a positive (benefit) or negative effect | |||
(damage) current or future but certain, such relationship must be understood as referring to a | |||
interest in its own sense, qualified and specific, current and real (not potential or | |||
hypothetical). It is the potential ownership of an advantage or a utility | |||
legal, not necessarily of patrimonial content, by the person exercising the | |||
claim, which would materialize if this is successful. Or, what is the same, the interest | |||
Legitimate is any legal advantage or utility derived from the intended reparation. | |||
(SSTC 252/2000, of October 30, FJ 3; 173/2004, of October 18, FJ 3; and | |||
73/2006, of March 13, FJ 4; in relation to a union, STC 28/2005, of 14 | |||
February, FJ 3)”. | |||
In the specific area of sanctioning procedures, it has been pointed out | |||
in relation to legitimation in the Supreme Court Ruling of January 30 | |||
of 2001 - appeal no. 506/1998- that “the Chamber understands that the existence of | |||
Legitimation is linked to a legitimate interest of the party that claims it, | |||
being the key to determining whether or not that legitimate interest exists in the process of | |||
challenge of a resolution... the information of whether the imposition of a sanction can | |||
produce a positive effect on the legal sphere of the complainant or can eliminate a | |||
burden or burden in that sphere, and it will be so, in each case, and depending on what | |||
intended, as the appropriate answer to such a question can be given, not being | |||
that the imposition of the sanction constitutes in itself the satisfaction of a | |||
interest". | |||
More recently, in the field of data protection itself in which | |||
we find ourselves, it is worth mentioning the Supreme Court Sentence of October 6, | |||
2009 - appeal no. 4,712/2005 -, which states that “whoever reports facts that | |||
considered to constitute a violation of data protection legislation. | |||
of active standing to challenge through jurisdiction what the Agency resolves. | |||
4 | |||
Resource No.: 0002185/2021 | |||
This is clear from the rulings of this Chamber of November 6, 2007 and, with | |||
even greater clarity, dated December 10, 2008.” | |||
The reason for said lack of legitimation lies, according to the aforementioned Judgment, in | |||
that the complainant lacks the status of interested party in the procedure | |||
sanctioning that can be initiated as a result of your complaint, since in the regulations of | |||
data protection, that condition is not recognized. And as regards the | |||
general principles of administrative sanctioning law, continues the aforementioned | |||
Sentence “although on some occasions this Chamber has said that the complainant | |||
can challenge the filing of the complaint by the Administration, it is not admitted that the | |||
complainant can challenge the final administrative resolution. The crucial argument | |||
in this matter is that the complainant, even when he considers himself | |||
“victim” of the reported violation, does not have a subjective right or interest | |||
legitimate for the accused to be punished. The punitive power belongs | |||
only to the Administration that has been entrusted with the corresponding power | |||
sanctioning authority - in this case, the Spanish Data Protection Agency - and therefore | |||
Consequently, only the Administration has an interest protected by the legal system. | |||
legal in which the offender is punished. It is true that things are not like that in the | |||
criminal law itself, where popular action even exists, but this | |||
It is because there are rules that expressly establish exceptions that do not | |||
appear in administrative sanctioning law and, so now | |||
specifically interested in data protection legislation. It's more: | |||
Accepting the active standing of the complainant would not only lead to maintaining that | |||
has an interest that the legal system does not recognize or protect, but rather | |||
would also lead to transforming the contentious-administrative courts into a | |||
type of appeal bodies in sanctioning matters. The latter would mean | |||
accept that they can impose the administrative sanctions that the | |||
Administration, which would clash with the so-called “reviewing nature” of the jurisdiction | |||
administrative litigation. In other words, the contentious courts | |||
Administrative authorities can and must control the legality of administrative acts in | |||
sanctioning matter; but they cannot replace the Administration in the exercise of | |||
the sanctioning powers that the law entrusts to it. | |||
What has just been said must be clarified: the complainant of | |||
a violation of data protection legislation lacks locus standi | |||
to challenge the Agency's resolution regarding the result | |||
sanctioner himself (imposition of a sanction, amount thereof, exculpation, | |||
etc); but if necessary, it may have active legitimacy with respect to aspects | |||
of the resolution other than the specifically sanctioning one, provided that, for | |||
course, can show some genuine interest worthy of guardianship.” | |||
On the other hand, in the Supreme Court Ruling of June 9, 2014 - | |||
resource no. 5.216/2011-, which states that: “The jurisprudence cited by the | |||
contested ruling, as the basis for its decision to inadmiss the appeal | |||
Due to lack of active standing of the appellant, it is made up of the | |||
rulings of this Chamber of December 16, 2008 (recourse 6339/2004) and 6 of | |||
October 2009 (resource 4712/2005), which fell on appeals that present | |||
as a characteristic that, in the administrative process, after the filing of a | |||
complaint, the AEPD carried out actions aimed at verifying the facts | |||
5 | |||
Resource No.: 0002185/2021 | |||
object of complaint, so that the decision to archive the file was | |||
adopted by the AEPD after this investigative activity and verification of the | |||
facts, and as a consequence of it. | |||
In this context that we have just explained, that is, in cases in which | |||
The Administration had developed an investigation and verification action | |||
of the facts reported, the rulings of this Chamber, cited by the ruling | |||
appealed, made the statements that the complainant does not have a right | |||
subjective nor a legitimate interest in having the accused person punished. Specifically, the | |||
STS of December 15, 2008 declared that the complainant lacked standing | |||
for the claim exercised in the appeal, which had been to force the | |||
AEPD to sanction the entity reported for serious misconduct, and the STS of 29 | |||
September 2009 considered that the contested ruling had incurred | |||
inconsistency, because the petition of the lawsuit was limited to requesting the annulment of the | |||
resolution of the AEPD and the contested ruling went further and ordered retroaction | |||
of actions in order to impose the corresponding administrative sanction.” | |||
The second claim contained in the application's request says: “(ii) | |||
order the AEPD to proceed with the initiation of administrative procedures | |||
that correspond to the imposition on Clearview of any sanctions that may be | |||
appropriate on the basis of the aforementioned violations of articles 6, 9, | |||
14, 15 and 17 of the GDPR”. | |||
Thus, the appellant in said claim requests the exercise of | |||
sanctioning power for non-compliance with data protection regulations, | |||
His legitimacy to challenge the Agency's decision is not proven, since | |||
As indicated in the Supreme Court Ruling of February 1, 2018 - appeal no. | |||
2,368/2016-: “The claim to defend legality ---regardless of its | |||
regulation in the field of criminal law---requires, in the field that affects us, | |||
administrative law, of a specific and concrete authorization that is not perceived | |||
nor is it accredited in the matter of the protection of personal data, and must | |||
Remember that the punitive power belongs solely to the Administration, which is | |||
who is entrusted with the corresponding sanctioning power --- in this case, | |||
the Spanish Data Protection Agency--, and, consequently, only the | |||
Administration has an interest protected by the legal system in which the | |||
offender be punished; The opposite would imply replacing the Administration in the | |||
exercise of sanctioning power.” | |||
In short, in view of the above, the actor lacks both a right | |||
subjective as well as a legitimate interest in the success of the claim we are | |||
analyzing, so it is inadmissible under art. 69. b) of the Law of | |||
the Jurisdiction. | |||
But in the case at hand, it is also intended that the Agency | |||
Spanish Data Protection Authority recognizes its competence to resolve the | |||
claim presented by the appellant and, consequently, the | |||
processing it until its resolution. | |||
6 | |||
Resource No.: 0002185/2021 | |||
Well, in relation to said claim, if the plaintiff is found | |||
actively legitimized to challenge the resolution issued in a procedure of | |||
protection of rights, which inadmisses the claim made by them via | |||
administrative, since it includes that specific suitability that derives from the | |||
underlying problem to be discussed in this resource. Criterion that is followed by this | |||
Section in the Judgments of November 16, 2011 - appeal no. 413/2010-, of | |||
May 17, 2012 - appeal no. 406/2010 -, and March 8, 2019 -resource no. | |||
165/2018-, among others. | |||
Therefore, we will now analyze the aforementioned claim. | |||
THIRD.- In the appealed resolution, the plaintiff's claim is filed against | |||
be excluded from the scope of application of the RGPD, based on the following: “In this | |||
case, although it is true that, to offer the service, the search engine reads and | |||
stores millions of photographs publicly accessible over the Internet – | |||
many of which correspond to European residents – the conditions for | |||
that a processing carried out by a controller outside the Union (in this case, in | |||
U.S.) is covered by the GDPR are that the activities associated with it | |||
are related to the offer of goods or services to said interested parties in the | |||
Union, as determined by art. 3.2.a) of the RGPD, or that are related to the control | |||
of their behavior, as provided in article 3.2.b) of the RGPD. Circumstances | |||
that do not occur in this case.” | |||
The actor alleges that the Spanish Data Protection Agency is competent | |||
to process your claim based on art. 3.2.b) of the RGPD. Clearview is said to | |||
not only processes personal data, but also processes special categories of | |||
personal data of art. 9 of the GDPR. It is clear that recital 51 | |||
of the GDPR makes it explicit that the processing of photographs is not considered | |||
systematically processing special data, as it is not understood that the | |||
image is de facto biometric data, unless, as is the case, “the fact of | |||
be treated with specific technical means allowing the identification or | |||
univocal authentication of a natural person. | |||
It is argued that by indicating that the GDPR applies to activities of | |||
treatment related to "behavioral control", art. 3.2.b) of the | |||
GDPR implies that any data controller or data controller | |||
later worldwide that tracks European users in a way | |||
identified or identifiable person would be carrying out treatment activities under the | |||
scope of the GDPR. It is added that the GDPR covers any form of tracking in | |||
Internet that, in terms of its intensity, is equivalent to a "surveillance" of the | |||
interested parties, and that the monitoring of interested parties on the Internet through | |||
comparison of biometric data, as carried out by Clearview, would already determine the | |||
scope of art. 3.2.b) of the RGPD. | |||
In this regard, the Court is informed in the application of the | |||
conclusions reached, in this sense, by other authorities for the protection of | |||
international data, including many in the European Union. This is how they refer to | |||
7 | |||
Resource No.: 0002185/2021 | |||
cases from the United Kingdom, Hamburg, Holland, France. And in the written conclusions | |||
Reference is made to cases from Greece and Italy. | |||
Finally, it is alluded to that the appealed resolution incurs arbitrariness and lack | |||
of motivation as a consequence of hardly carrying out checks on the | |||
responsibility of Clearview and to obviate past non-compliance. | |||
FOURTH.- The art. 3.2.b) of the RGPD, on which the plaintiff relies to determine | |||
the competence of the Spanish Data Protection Agency, provides: “The | |||
This Regulation applies to the processing of personal data of interested parties | |||
residing in the Union by a person responsible or in charge not established in | |||
the Union, when the processing activities are related to: …. b) the | |||
control of their behavior, to the extent that this takes place in the Union.” | |||
For its part, recital 24 of the aforementioned RGPD states: “(24) The treatment | |||
of personal data of interested parties residing in the Union by a controller | |||
or processor not established in the Union should also be the subject of this | |||
Regulation when related to the observation of the behavior of | |||
said interested parties to the extent that this behavior takes place in the | |||
Union. To determine whether a treatment activity can be considered | |||
controls the behavior of the interested parties, it must be evaluated whether the people | |||
Physical data are tracked on the Internet, including potential subsequent use | |||
of personal data processing techniques that consist of the preparation of | |||
a profile of a natural person for the purpose, in particular, of making decisions about | |||
him or to analyze or predict his personal preferences, behaviors and | |||
attitudes.” | |||
While art. 4 of the GDPR defines “profiling” as “any | |||
form of automated processing of personal data consisting of using data | |||
personal to evaluate certain personal aspects of a natural person, | |||
in particular to analyze or predict aspects related to professional performance, | |||
economic situation, health, personal preferences, interests, reliability, | |||
behavior, location or movements of said natural person.” | |||
Thus, in resolution No. MED-2021-134, of November 26, | |||
2021from the National Commission for Information Technologies and Freedoms | |||
Public Authorities of France, in relation to the entity Clearview AI INC., and the application of the | |||
art. 3.2.b) of the GDPR, it says: “First of all, the processing in question leads to | |||
creating a behavioral profile of all people whose data is collected | |||
they collect | |||
From the relevant information, provided within the framework of cooperation between the | |||
supervisory authorities, it follows that the tool in question allows | |||
generate, from a photograph, a search result that contains all the | |||
photographs with a biometric model close enough to said photograph. | |||
This search result includes all photographs in which the | |||
face of a person and that have been collected by the company, subject to a | |||
margin of technical error. | |||
8 | |||
Resource No.: 0002185/2021 | |||
The profile thus created, relating to a person, is made up of photographs, but | |||
also the URL address of all the web pages on which they are located | |||
these photographs. However, the linking of photographs and the context in which | |||
presented on a website allows you to collect a lot of information about a | |||
person, their habits or preferences. Regarding social networks in | |||
particular, it is very likely that a photograph and the original URL of this photograph | |||
identify the account of the person in question. Photographs can also | |||
have been published online to illustrate a press or blog article, therefore | |||
which is likely to contain accurate information about the person concerned and, | |||
therefore, elements related to its behavior. | |||
Additionally, images may contain metadata, such as image metadata. | |||
geolocation, which are also included in the search result and are | |||
can be used to complete a person's profile. | |||
This search result also allows you to identify the behavior of | |||
a person on the Internet, by analyzing the information that person has | |||
chosen to put online, as well as its context. Indeed, the publication of photographs | |||
online constitutes in itself a behavior of the affected person, since | |||
reflects options about the level of exposure you want to give to elements of your | |||
private or professional life. | |||
Therefore, it is appropriate to consider that the search result associated | |||
A photograph must be classified, at least partially, as a profile of | |||
behavior of the person in question, to the extent that it contains a | |||
large amount of information relating to said person and, in particular, his | |||
behavior. Even when the purpose of the treatment itself is not the control of the | |||
behavior, the means used to enable the identification system | |||
biometrics from the company Clearview involve the creation of such a profile, and may | |||
treatment to be considered “linked to behavioral monitoring” | |||
of the affected people. | |||
Secondly, the automated data processing that allows the | |||
creation of said behavioral profile and its availability to people who | |||
queries in the company's search engine should be classified as | |||
tracking on the Internet. | |||
Indeed, the very purpose of the tool marketed by Clearview | |||
is to be able to identify and collect certain information related to a person. The | |||
implementation of the different stages of processing described above, | |||
and in particular biometric techniques to distinguish an individual, lead to the | |||
creating a behavioral profile. However, this profile is created in | |||
response to a search carried out by a person and relating to a person who | |||
appears in a photograph. | |||
Additionally, the search can be renewed over time, allowing you to see a | |||
evolution of information relating to a person, especially when compared | |||
the results of successive searches. In fact, since the database is | |||
updated periodically, successive searches allow us to follow the evolution of | |||
a profile over time.” | |||
And the conclusion is reached that the treatment carried out in this way is linked | |||
to monitoring the behavior of the interested parties in the sense of the | |||
provisions of art. 3.2.b) of the RGPD and falls within the territorial scope of the RGPD. | |||
9 | |||
Resource No.: 0002185/2021 | |||
On the other hand, the Italian Data Protection Authority, by the resolution of | |||
March 9, 2022, after discovering that what amounted to | |||
biometric control also of people in Italian territory, fined the company | |||
American Clearview AI with 20 million euros, as well as ordered the aforementioned | |||
company to delete data relating to natural persons in Italy. banned | |||
any other collection and processing of data through the system | |||
facial recognition of the company, and to appoint a representative in the EU | |||
to contact, in addition to the data controller based in the USA or in | |||
instead of it, in order to facilitate the exercise of the rights of the interested parties. | |||
Well, in light of the above, the Chamber agrees with what | |||
exposed, in the sense that the Spanish Data Protection Agency has | |||
jurisdiction to hear the appellant's claim against the company | |||
Clearview, the GDPR being applicable based on art. 3.2.b) of the aforementioned Regulation, | |||
It should be added that the aforementioned provision does not require that the treatment be carried out | |||
carried out in order to control people's behavior, but simply | |||
“linked” to him. | |||
Consequently, in light of the foregoing, the appeal must be upheld. | |||
contentious-administrative in relation to the claim that we have just stated | |||
examine, and the aforementioned appeal must be partially upheld. | |||
FIFTH.- In accordance with art. 139.1 of the Law of Jurisdiction, when estimated in | |||
party the contentious-administrative appeal, each party will pay the costs incurred | |||
at his request and the common ones in half. | |||
HAVING SEEN the cited articles, and others of general and pertinent application. | |||
WE FAIL: In relation to the contentious-administrative appeal filed | |||
by the Attorney General of the Courts N.N., in the name and | |||
representation of N.N., against the resolution of 1 | |||
September 2021 from the Director of the Spanish Data Protection Agency, | |||
which agreed to file the claim filed against Clearview AI | |||
INC., relapse in file E/04461/2021: | |||
1st. The inadmissibility of the aforementioned appeal is declared by application of art. 69.b) | |||
of the Law of Jurisdiction regarding the second of the claims contained in | |||
the request of the demand. | |||
2nd.- The appeal is upheld in relation to the first claim of the petition of the | |||
lawsuit, declaring the nullity of the appealed resolution for not being in accordance with | |||
right, and the Spanish Data Protection Agency must admit the | |||
the appellant's claim and process it. | |||
10 | |||
Resource No.: 0002185/2021 | |||
3º- Without making a special statement on the procedural costs. | |||
This ruling is subject to appeal, which must be | |||
prepare before this Court within a period of 30 days counted from the day following that of | |||
your notification; In the document preparing the appeal, the | |||
compliance with the requirements established in art. 89.2 of the Law of the | |||
Jurisdiction justifying the objective cassational interest that it presents. | |||
Thus, by this our Sentence, we pronounce it, we order and we sign. | |||
</pre> |
Latest revision as of 12:30, 17 July 2024
AN - 2185/2021 (Appeal number - Número de Recurso) | |
---|---|
Court: | AN (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 3(2)(b) GDPR Ley 29/1998, de 13 de julio, reguladora de la Jurisdicción Contencioso-administrativa |
Decided: | 27.06.2024 |
Published: | |
Parties: | AEPD |
National Case Number/Name: | 2185/2021 (Appeal number - Número de Recurso) |
European Case Law Identifier: | |
Appeal from: | AEPD (Spain) E/04461/2021 |
Appeal to: | Unknown |
Original Language(s): | Spanish |
Original Source: | Audiencia Nacional - Sala de lo Contencioso-Administrativo (in Spanish) |
Initial Contributor: | lm |
The Court found the Spanish DPA competent to resolve a complaint against US-based Clearview AI, and thus ordered the DPA to admit and process the complaint.
English Summary
Facts
Clearview AI Inc. (the controller or Clearview) is a company established in the United States. The controller scrapes the internet for photos of faces. Users of its services can upload a photo of the face of a person and obtain other photos of the same person, based on facial recognition technology. They also obtain the URLs where those photos were found. These searches may identify a data subject’s social media accounts or other webpages that disclose further personal data about them. The controller claimed to have the biggest known database of facial images with more than 10 billion images.
In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form.
On 10 March 2021 the data subject filed a complaint with the Spanish DPA (AEPD) alleging numerous infringements of the GDPR. The AEPD archived the complaint in September 2021 on the basis that it lacked competence because the controller did not fall within the scope of Article 3(2) GDPR. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer goods or services to data subjects in the Union of if they monitor their behaviour. The AEPD considered that the provision was not applicable in this case.
The data subject initiated proceedings before the Administrative Chamber of Spain’s Audiencia Nacional (the Court) to challenge the AEPD’s decision. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data surveilling their behaviour, bringing it within the scope of Article 3(2)(b) GDPR. Specifically, the data subject claimed that the controller processed photographs “through specific technical means allowing the unique identification or authentication of a natural person”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s decision be annulled and that the Court:
- Order the AEPD to recognize its competence to resolve the complaint and that, in consequence, the complaint be dealt with.
- Order the AEPD to initiate sanctioning proceedings for infringements of Articles 6, 9, 14, 15 and 17 GDPR.
Holding
The Court partially upheld the appeal. In relation to the first request, it found that the Spanish DPA was competent to resolve the complaint under the GDPR. Therefore, it must admit and handle the data subject’s complaint. The Court declared the second request inadmissible because the data subject did not have a subjective right nor a legitimate interest to request the Court to order a DPA to sanction a controller.
Request to Order the AEPD to Initiate Sanctioning Proceedings
The Court declared the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings inadmissible.
The Court reiterated the jurisprudence of the Tribunal Supremo (Supreme Court) noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. In data protection matters the sanctioning power is entrusted solely to the public administration – in this case, the AEPD. As a result, data subjects cannot challenge DPA decisions in a sanctioning procedure, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. Administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration (among others, Judgement of the Supreme Court of 6 October 2009, no. 4.712/2005).
Because of this reasoning, the Court declared the request inadmissible.
Request to Order the AEPD to Resolve the Complaint
In contrast to its previous findings, the Court held that a data subject can challenge a decision issued in a procedure for the protection of rights where an authority does not admit the complaint filed. It found that the AEPD was competent and is, thus, obligated to handle the complaint.
The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, falls within the scope of Article 3(2)(b) GDPR. According to the Court, Article 3(2)(b) GDPR does not mean that processing must have the purpose of controlling the behavior of the data subjects; it only requires that the processing be ‘linked’ to such a purpose.
In particular, the Court relied heavily on the French DPA’s (CNIL) decision of 26 November 2021, in which it identified Clearview as falling within the scope of Article 3(2)(b) GDPR. The CNIL had considered the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. According to the CNIL, Clearview's services allow for identifying, finding information on and creating a detailed profile about an individual. It can therefore be considered to be related to the monitoring of the behaviour of data subjects. The Court also noted that the Italian DPA (Garante) had fined Clearview AI € 20 million, prohibited further processing and ordered it to designate a representative in the EU. The Court agreed with the CNIL and the Garante that the processing falls within the scope of the GDPR and that the AEPD is thus competent to resolve the complaint of the data subject.
For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and handle the complaint.
Comment
The judgement of the Audiencia Nacional is in line with several decisions of European data protection authorities (Austria, France, Greece, Italy, UK). It corrects the AEPD's stance and, indirectly, contributes to a uniform approach throughout the European Union (and beyond) regarding Clearview.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Resource No.: 0002185/2021 NATIONAL AUDIENCE Contentious-Administrative Chamber FIRST SECTION Resource No.: 0002185/2021 Type of Appeal: ORDINARY PROCEDURE General Registry No.: 19167/2021 Demanding: N.N Attorney: N.N Respondent: SPANISH DATA PROTECTION AGENCY State Attorney Speaker IImo. Mr.: N.N. S E N T E N C I A Nº: IImo. Mr. President: N.N. Ilmos. Messrs. Magistrates: N.N. N.N. N.N. Madrid, June twenty-seven, two thousand twenty-four. Seen by the Chamber, made up of the Magistrates related to the margin, the records of the contentious-administrative appeal number 2,185/21, filed by the Attorney of the Courts N.N., in the name and representation of N.N., against the resolution of 1 September 2021 from the Director of the Spanish Data Protection Agency, which agreed to file the claim filed against Clearview AI INC., relapsed in file E/04461/2021. The ADMINISTRATION has been part OF THE STATE. The amount of the resource was set at undetermined. 1 Resource No.: 0002185/2021 FACTUAL BACKGROUND FIRST.- The appeal is admitted and the appropriate procedures have been carried out procedural matters, transfer was granted to the plaintiff so that, within the term of twenty days to formalize the demand, which was carried out in writing presented on December 20, 2021 in which, after presenting the facts and foundations of law that he considered appropriate, he ended up requesting that a judgment by which “WITH APPROVAL OF THIS APPEAL is annulled, revoke and annul the appealed resolution and, consequently: (i) the AEPD is ordered to recognize its competence to resolve the claim presented by my client and, consequently, proceed to the processing it until its resolution; and (ii) the AEPD is ordered to proceed with the initiation of the procedures administrative procedures that correspond to the imposition on Clearview of how many Sanctions may be appropriate based on the aforementioned infractions. of articles 6, 9, 14, 15 and 17 of the GDPR”. SECOND.- Once the demand was formalized, it was transferred to the party defendant to respond within twenty days, which he did through the pertinent writing, alleging the facts and legal bases that deemed pertinent, requesting that “a ruling be issued declaring the inadmissibility of this appeal or, alternatively, it is dismissed, confirming the contested administrative act.” THIRD.- By Order of July 11, 2022, it was agreed to receive proof of the appeal, admitting the documentary evidence proposed by the party actor. And, there being no more evidence to perform, the period of ten days was granted to the parties for the formulation of conclusions. Once presented the corresponding writings, the actions were pending voting and ruling, which was scheduled for June 25 of the current year, the date on which it took place. WITH THE EXHIBITION MAGISTRATE BEING SPEAKER. N.N. FOUNDATIONS OF LAW FIRST.- The plaintiff challenges the resolution of September 1, 2021 of the Director of the Spanish Data Protection Agency, by which it was agreed the file of the claim filed against Clearview AI INC., falling on the file E/04461/2021. 2 Resource No.: 0002185/2021 From the data in the file, the following are proven facts relevant to issuing the resolution at hand: A) Clearview AI INC. is a company based in the United States of America founded in 2017, facial recognition platform that allows users Users upload an image of a person's face and track, based on the physical match, other photos of that person's face collected from the Internet. In his own words, the platform “includes the largest database known from more than ten billion facial images from sources public-only websites, including media outlets, mugshot websites, public social networks and other open sources.” B) On February 14, 2020, the appellant here requested Clearview to exercise, among others, access rights (art. 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to data processing personal data and the free circulation of these data, hereinafter RGPD), and opposition (art. 21 of the GDPR), with respect to personal data processed by the latter as data controller on the basis of art. 14.1 c) of the GDPR. For this, it addressed to the email address privacy@clearview.ai indicated for this purpose by Clearview on their website https://www.clearview.ai/. C) Since the plaintiff did not receive a response, he repeated the request two more times. of rights through the same system, on September 13, 2020 and 28 January 2021 On January 29, 2021, Clearview urged the appellant to exercise his rights through the form on the Web, which was done on January 30, 2021. D) Upon not receiving a response, on March 1, 2021, the plaintiff repeated, for fifth time, the request to exercise your rights, this time through Email electronic. On March 8, 2021, the appellant received an email from Clearview urging you, again, to request the exercise of your rights through the form included on the website E) The plaintiff presented a claim on March 10, 2021 against Clearview AI INC. before the Spanish Data Protection Agency for infringement of the arts. 15, 17 and 21 of the GDPR. F) On March 22, 2021, the appellant received a response from Clearview AI INC. solely in response to your access request (art. 15 of the RGPD). G) Prior to the admission for processing of the claim presented, It was transferred by the Spanish Data Protection Agency to CLEARVIEW AI INC. to proceed with its analysis and respond to said Agency within one month. Likewise, the requested report was requested on the 3 Resource No.: 0002185/2021 causes that motivated the incident that occurred, and details of the measures adopted to avoid similar situations. There is no record of receipt at the Agency of a response to the transfer by the claimed entity. SECOND.- Firstly, we will analyze the cause of inadmissibility of art. 69.b) of the Law of Jurisdiction, raised by the legal representative of the General Administration of the State, based on the lack of active legitimation of the recurrent. To analyze this cause of inadmissibility, we must assume that the Legitimation is an inexcusable presupposition of the process, providing for art. 19.1.a) of the Law of Jurisdiction, which: “They are legitimized before the jurisdictional order contentious-administrative: a) Natural or legal persons who hold a right or legitimate interest.” In this sense, the Ruling of the Constitutional Court 52/2007, of 12 March, has specified that the legitimate interest, referred to in art. 24.1 of the Constitution “is characterized as a univocal material relationship between the subject and the object of the claim (challenged act or provision), in such a way that its Override automatically produces a positive (benefit) or negative effect (damage) current or future but certain, such relationship must be understood as referring to a interest in its own sense, qualified and specific, current and real (not potential or hypothetical). It is the potential ownership of an advantage or a utility legal, not necessarily of patrimonial content, by the person exercising the claim, which would materialize if this is successful. Or, what is the same, the interest Legitimate is any legal advantage or utility derived from the intended reparation. (SSTC 252/2000, of October 30, FJ 3; 173/2004, of October 18, FJ 3; and 73/2006, of March 13, FJ 4; in relation to a union, STC 28/2005, of 14 February, FJ 3)”. In the specific area of sanctioning procedures, it has been pointed out in relation to legitimation in the Supreme Court Ruling of January 30 of 2001 - appeal no. 506/1998- that “the Chamber understands that the existence of Legitimation is linked to a legitimate interest of the party that claims it, being the key to determining whether or not that legitimate interest exists in the process of challenge of a resolution... the information of whether the imposition of a sanction can produce a positive effect on the legal sphere of the complainant or can eliminate a burden or burden in that sphere, and it will be so, in each case, and depending on what intended, as the appropriate answer to such a question can be given, not being that the imposition of the sanction constitutes in itself the satisfaction of a interest". More recently, in the field of data protection itself in which we find ourselves, it is worth mentioning the Supreme Court Sentence of October 6, 2009 - appeal no. 4,712/2005 -, which states that “whoever reports facts that considered to constitute a violation of data protection legislation. of active standing to challenge through jurisdiction what the Agency resolves. 4 Resource No.: 0002185/2021 This is clear from the rulings of this Chamber of November 6, 2007 and, with even greater clarity, dated December 10, 2008.” The reason for said lack of legitimation lies, according to the aforementioned Judgment, in that the complainant lacks the status of interested party in the procedure sanctioning that can be initiated as a result of your complaint, since in the regulations of data protection, that condition is not recognized. And as regards the general principles of administrative sanctioning law, continues the aforementioned Sentence “although on some occasions this Chamber has said that the complainant can challenge the filing of the complaint by the Administration, it is not admitted that the complainant can challenge the final administrative resolution. The crucial argument in this matter is that the complainant, even when he considers himself “victim” of the reported violation, does not have a subjective right or interest legitimate for the accused to be punished. The punitive power belongs only to the Administration that has been entrusted with the corresponding power sanctioning authority - in this case, the Spanish Data Protection Agency - and therefore Consequently, only the Administration has an interest protected by the legal system. legal in which the offender is punished. It is true that things are not like that in the criminal law itself, where popular action even exists, but this It is because there are rules that expressly establish exceptions that do not appear in administrative sanctioning law and, so now specifically interested in data protection legislation. It's more: Accepting the active standing of the complainant would not only lead to maintaining that has an interest that the legal system does not recognize or protect, but rather would also lead to transforming the contentious-administrative courts into a type of appeal bodies in sanctioning matters. The latter would mean accept that they can impose the administrative sanctions that the Administration, which would clash with the so-called “reviewing nature” of the jurisdiction administrative litigation. In other words, the contentious courts Administrative authorities can and must control the legality of administrative acts in sanctioning matter; but they cannot replace the Administration in the exercise of the sanctioning powers that the law entrusts to it. What has just been said must be clarified: the complainant of a violation of data protection legislation lacks locus standi to challenge the Agency's resolution regarding the result sanctioner himself (imposition of a sanction, amount thereof, exculpation, etc); but if necessary, it may have active legitimacy with respect to aspects of the resolution other than the specifically sanctioning one, provided that, for course, can show some genuine interest worthy of guardianship.” On the other hand, in the Supreme Court Ruling of June 9, 2014 - resource no. 5.216/2011-, which states that: “The jurisprudence cited by the contested ruling, as the basis for its decision to inadmiss the appeal Due to lack of active standing of the appellant, it is made up of the rulings of this Chamber of December 16, 2008 (recourse 6339/2004) and 6 of October 2009 (resource 4712/2005), which fell on appeals that present as a characteristic that, in the administrative process, after the filing of a complaint, the AEPD carried out actions aimed at verifying the facts 5 Resource No.: 0002185/2021 object of complaint, so that the decision to archive the file was adopted by the AEPD after this investigative activity and verification of the facts, and as a consequence of it. In this context that we have just explained, that is, in cases in which The Administration had developed an investigation and verification action of the facts reported, the rulings of this Chamber, cited by the ruling appealed, made the statements that the complainant does not have a right subjective nor a legitimate interest in having the accused person punished. Specifically, the STS of December 15, 2008 declared that the complainant lacked standing for the claim exercised in the appeal, which had been to force the AEPD to sanction the entity reported for serious misconduct, and the STS of 29 September 2009 considered that the contested ruling had incurred inconsistency, because the petition of the lawsuit was limited to requesting the annulment of the resolution of the AEPD and the contested ruling went further and ordered retroaction of actions in order to impose the corresponding administrative sanction.” The second claim contained in the application's request says: “(ii) order the AEPD to proceed with the initiation of administrative procedures that correspond to the imposition on Clearview of any sanctions that may be appropriate on the basis of the aforementioned violations of articles 6, 9, 14, 15 and 17 of the GDPR”. Thus, the appellant in said claim requests the exercise of sanctioning power for non-compliance with data protection regulations, His legitimacy to challenge the Agency's decision is not proven, since As indicated in the Supreme Court Ruling of February 1, 2018 - appeal no. 2,368/2016-: “The claim to defend legality ---regardless of its regulation in the field of criminal law---requires, in the field that affects us, administrative law, of a specific and concrete authorization that is not perceived nor is it accredited in the matter of the protection of personal data, and must Remember that the punitive power belongs solely to the Administration, which is who is entrusted with the corresponding sanctioning power --- in this case, the Spanish Data Protection Agency--, and, consequently, only the Administration has an interest protected by the legal system in which the offender be punished; The opposite would imply replacing the Administration in the exercise of sanctioning power.” In short, in view of the above, the actor lacks both a right subjective as well as a legitimate interest in the success of the claim we are analyzing, so it is inadmissible under art. 69. b) of the Law of the Jurisdiction. But in the case at hand, it is also intended that the Agency Spanish Data Protection Authority recognizes its competence to resolve the claim presented by the appellant and, consequently, the processing it until its resolution. 6 Resource No.: 0002185/2021 Well, in relation to said claim, if the plaintiff is found actively legitimized to challenge the resolution issued in a procedure of protection of rights, which inadmisses the claim made by them via administrative, since it includes that specific suitability that derives from the underlying problem to be discussed in this resource. Criterion that is followed by this Section in the Judgments of November 16, 2011 - appeal no. 413/2010-, of May 17, 2012 - appeal no. 406/2010 -, and March 8, 2019 -resource no. 165/2018-, among others. Therefore, we will now analyze the aforementioned claim. THIRD.- In the appealed resolution, the plaintiff's claim is filed against be excluded from the scope of application of the RGPD, based on the following: “In this case, although it is true that, to offer the service, the search engine reads and stores millions of photographs publicly accessible over the Internet – many of which correspond to European residents – the conditions for that a processing carried out by a controller outside the Union (in this case, in U.S.) is covered by the GDPR are that the activities associated with it are related to the offer of goods or services to said interested parties in the Union, as determined by art. 3.2.a) of the RGPD, or that are related to the control of their behavior, as provided in article 3.2.b) of the RGPD. Circumstances that do not occur in this case.” The actor alleges that the Spanish Data Protection Agency is competent to process your claim based on art. 3.2.b) of the RGPD. Clearview is said to not only processes personal data, but also processes special categories of personal data of art. 9 of the GDPR. It is clear that recital 51 of the GDPR makes it explicit that the processing of photographs is not considered systematically processing special data, as it is not understood that the image is de facto biometric data, unless, as is the case, “the fact of be treated with specific technical means allowing the identification or univocal authentication of a natural person. It is argued that by indicating that the GDPR applies to activities of treatment related to "behavioral control", art. 3.2.b) of the GDPR implies that any data controller or data controller later worldwide that tracks European users in a way identified or identifiable person would be carrying out treatment activities under the scope of the GDPR. It is added that the GDPR covers any form of tracking in Internet that, in terms of its intensity, is equivalent to a "surveillance" of the interested parties, and that the monitoring of interested parties on the Internet through comparison of biometric data, as carried out by Clearview, would already determine the scope of art. 3.2.b) of the RGPD. In this regard, the Court is informed in the application of the conclusions reached, in this sense, by other authorities for the protection of international data, including many in the European Union. This is how they refer to 7 Resource No.: 0002185/2021 cases from the United Kingdom, Hamburg, Holland, France. And in the written conclusions Reference is made to cases from Greece and Italy. Finally, it is alluded to that the appealed resolution incurs arbitrariness and lack of motivation as a consequence of hardly carrying out checks on the responsibility of Clearview and to obviate past non-compliance. FOURTH.- The art. 3.2.b) of the RGPD, on which the plaintiff relies to determine the competence of the Spanish Data Protection Agency, provides: “The This Regulation applies to the processing of personal data of interested parties residing in the Union by a person responsible or in charge not established in the Union, when the processing activities are related to: …. b) the control of their behavior, to the extent that this takes place in the Union.” For its part, recital 24 of the aforementioned RGPD states: “(24) The treatment of personal data of interested parties residing in the Union by a controller or processor not established in the Union should also be the subject of this Regulation when related to the observation of the behavior of said interested parties to the extent that this behavior takes place in the Union. To determine whether a treatment activity can be considered controls the behavior of the interested parties, it must be evaluated whether the people Physical data are tracked on the Internet, including potential subsequent use of personal data processing techniques that consist of the preparation of a profile of a natural person for the purpose, in particular, of making decisions about him or to analyze or predict his personal preferences, behaviors and attitudes.” While art. 4 of the GDPR defines “profiling” as “any form of automated processing of personal data consisting of using data personal to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of said natural person.” Thus, in resolution No. MED-2021-134, of November 26, 2021from the National Commission for Information Technologies and Freedoms Public Authorities of France, in relation to the entity Clearview AI INC., and the application of the art. 3.2.b) of the GDPR, it says: “First of all, the processing in question leads to creating a behavioral profile of all people whose data is collected they collect From the relevant information, provided within the framework of cooperation between the supervisory authorities, it follows that the tool in question allows generate, from a photograph, a search result that contains all the photographs with a biometric model close enough to said photograph. This search result includes all photographs in which the face of a person and that have been collected by the company, subject to a margin of technical error. 8 Resource No.: 0002185/2021 The profile thus created, relating to a person, is made up of photographs, but also the URL address of all the web pages on which they are located these photographs. However, the linking of photographs and the context in which presented on a website allows you to collect a lot of information about a person, their habits or preferences. Regarding social networks in particular, it is very likely that a photograph and the original URL of this photograph identify the account of the person in question. Photographs can also have been published online to illustrate a press or blog article, therefore which is likely to contain accurate information about the person concerned and, therefore, elements related to its behavior. Additionally, images may contain metadata, such as image metadata. geolocation, which are also included in the search result and are can be used to complete a person's profile. This search result also allows you to identify the behavior of a person on the Internet, by analyzing the information that person has chosen to put online, as well as its context. Indeed, the publication of photographs online constitutes in itself a behavior of the affected person, since reflects options about the level of exposure you want to give to elements of your private or professional life. Therefore, it is appropriate to consider that the search result associated A photograph must be classified, at least partially, as a profile of behavior of the person in question, to the extent that it contains a large amount of information relating to said person and, in particular, his behavior. Even when the purpose of the treatment itself is not the control of the behavior, the means used to enable the identification system biometrics from the company Clearview involve the creation of such a profile, and may treatment to be considered “linked to behavioral monitoring” of the affected people. Secondly, the automated data processing that allows the creation of said behavioral profile and its availability to people who queries in the company's search engine should be classified as tracking on the Internet. Indeed, the very purpose of the tool marketed by Clearview is to be able to identify and collect certain information related to a person. The implementation of the different stages of processing described above, and in particular biometric techniques to distinguish an individual, lead to the creating a behavioral profile. However, this profile is created in response to a search carried out by a person and relating to a person who appears in a photograph. Additionally, the search can be renewed over time, allowing you to see a evolution of information relating to a person, especially when compared the results of successive searches. In fact, since the database is updated periodically, successive searches allow us to follow the evolution of a profile over time.” And the conclusion is reached that the treatment carried out in this way is linked to monitoring the behavior of the interested parties in the sense of the provisions of art. 3.2.b) of the RGPD and falls within the territorial scope of the RGPD. 9 Resource No.: 0002185/2021 On the other hand, the Italian Data Protection Authority, by the resolution of March 9, 2022, after discovering that what amounted to biometric control also of people in Italian territory, fined the company American Clearview AI with 20 million euros, as well as ordered the aforementioned company to delete data relating to natural persons in Italy. banned any other collection and processing of data through the system facial recognition of the company, and to appoint a representative in the EU to contact, in addition to the data controller based in the USA or in instead of it, in order to facilitate the exercise of the rights of the interested parties. Well, in light of the above, the Chamber agrees with what exposed, in the sense that the Spanish Data Protection Agency has jurisdiction to hear the appellant's claim against the company Clearview, the GDPR being applicable based on art. 3.2.b) of the aforementioned Regulation, It should be added that the aforementioned provision does not require that the treatment be carried out carried out in order to control people's behavior, but simply “linked” to him. Consequently, in light of the foregoing, the appeal must be upheld. contentious-administrative in relation to the claim that we have just stated examine, and the aforementioned appeal must be partially upheld. FIFTH.- In accordance with art. 139.1 of the Law of Jurisdiction, when estimated in party the contentious-administrative appeal, each party will pay the costs incurred at his request and the common ones in half. HAVING SEEN the cited articles, and others of general and pertinent application. WE FAIL: In relation to the contentious-administrative appeal filed by the Attorney General of the Courts N.N., in the name and representation of N.N., against the resolution of 1 September 2021 from the Director of the Spanish Data Protection Agency, which agreed to file the claim filed against Clearview AI INC., relapse in file E/04461/2021: 1st. The inadmissibility of the aforementioned appeal is declared by application of art. 69.b) of the Law of Jurisdiction regarding the second of the claims contained in the request of the demand. 2nd.- The appeal is upheld in relation to the first claim of the petition of the lawsuit, declaring the nullity of the appealed resolution for not being in accordance with right, and the Spanish Data Protection Agency must admit the the appellant's claim and process it. 10 Resource No.: 0002185/2021 3º- Without making a special statement on the procedural costs. This ruling is subject to appeal, which must be prepare before this Court within a period of 30 days counted from the day following that of your notification; In the document preparing the appeal, the compliance with the requirements established in art. 89.2 of the Law of the Jurisdiction justifying the objective cassational interest that it presents. Thus, by this our Sentence, we pronounce it, we order and we sign.