AP (The Netherlands) - Clearview

From GDPRhub
Revision as of 08:27, 5 September 2024 by Nicklee (talk | contribs) (Including the English versions of the decision published by the AP; removing the low-quality machine translation & replacing it with a link to the AP's English version of the decision)
AP - Clearview
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 3(2)(b) GDPR
Article 4(14) GDPR
Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Article 9(1) GDPR
Article 9(2)(e) GDPR
Article 27(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 16.05.2024
Published: 03.09.2024
Fine: 30,500,000 EUR
Parties: Clearview AI Inc.
National Case Number/Name: Clearview
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: AP (in NL)
AP (in EN, Unofficial)
Initial Contributor: fb

The DPA fined Clearview AI €30,500,000 after it illegally collected personal data for its facial recognition system. The DPA held that the controller had no legal basis for this processing and ordered the controller to delete the data regarding Dutch data subjects.

English Summary

Facts

The controller, Clearview Inc., provides facial recognition services. Among others, it offers a service called “Clearview for law-enforcement and public defenders”. This service allows governments and investigative authorities to search “by image” in a database of over 30 billion pictures. In this way, the user of the service can upload a picture of a data subject and find out which other photos of the database show the same data subject.

The controller had created the database by scraping images uploaded on the Internet, including the ones on social media platform. The controller did not set any limitations in terms of geographical location or nationality, so also personal data concerning EU/EEA data subjects (including Dutch ones).

Some data subjects noted that their picture was present in this database and, therefore, filed a complaint with the DPA. In addition, the DPA decided to open an ex officio investigation on this matter.

Holding

The processing of biometric data

The DPA found that the data processed by the controller fall into the definition of biometric data under Article 4(14) GDPR.

First of all, the DPA pointed out that the mere fact that individuals are shown recognizably in photos is not enough to consider these photos biometric data. On the contrary, this is the case when they are processed through a specific technical means allowing the unique identification or authentication of a natural person.

Secondly, the DPA noted that the controller uses an algorithm to convert the collected photos and the uploaded photos into vectors and stores the pictures and the corresponding vectors into a database. Therefore, the controller is using technical means.

Thirdly, the DPA held that the purpose of these technical means is allowing the unique identification of natural persons. Indeed, the search function compares the vectors of the uploaded pictures with the other pictures in the database and show in which other photos the data subject is being shown. It is also possible to obtain the URLs and metadata related to these images.

The territorial scope of the GDPR

Firstly, the DPA noted that the controller is not established in the EU, but only in the USA. The controller claims that it is not subject to the GDPR and, therefore, does not reply to access requests under Article 15 GDPR.

Secondly, the DPA pointed out that Article 3 GDPR does not limit the territorial scope of the GDPR to the territory of the EU. More specifically, according to Article 3(2)(b) GDPR, the GDPR applies to a controller that is not established in the EU but monitors the behaviour of data subjects in the Union.

Thirdly, the DPA verified that the controller processes personal data regarding Dutch data subjects. This results from the fact that the controller scraped Dutch websites and did not implement a filter images of Dutch data subjects.

Fourthly, the DPA noted that the controller’s privacy policy of 29 January 2020 informed EEA data subjects that they could file a complaint with the competent DPA.

Fifthly, the DPA pointed out that the other EU DPAs have already fined the controller as they believed it had been processing personal data of EU data subjects.

As for the monitoring requirement, the DPA noted that the algorithm is able to match pictures even if the data subject’s appearance changed over time. This means that the user of the service is able to follow the behaviour of the individuals shown in the images over the course of time. Therefore, especially since the clients of the controller are law enforcement authorities, the service can be used to monitor data subjects’ behaviours under Article 3(2)(b) GDPR.

On these ground, the DPA held that the processing of personal data by the controller for the purposes of providing this service falls under the territorial scope of the GDPR.

Clearview is the controller

The DPA noted that Clearview processes personal data in the context of setting up, maintaining and enriching the database and for training the facial recognition algorithm. On the contrary, the users of the service are not involved in these activities and they do not give instructions on how the database should be composed.

Therefore, the DPA held that Clearview determines the purposes and means of this processing and is to be regarded as controller under Article 4(7) GDPR.

Legal basis

The DPA noted that the controller claims it can carry out this processing according to Article 6(1)(f) GDPR. Therefore, the DPA analysed only if this legal basis could be used for the processing at hand. As a side note, the DPA however specified that other legal bases would not be applicable in this case.

The DPA recalled that to verify if a controller can rely on the legal basis provided for by Article 6(1)(f) GDPR, a three-step test must be conducted.

As for the first step, the controller (or a third party) must have a legitimate interest, i.e. an interest which is lawful, sufficiently clearly articulated and represent a real and present interest (see C-708/18, Asociaţia de Proprietari bloc M5A-ScaraA, para. 44).

In the case at hand, the DPA considered that this interest could be:

  • An interest of the controller itself to offer access to the platform against a payment. However, the DPA noted that, although the freedom to conduct a business comprises the freedom to perform economic or commercial activities, such freedom does not extend so far as to cover activities that almost fully coincide with infringing the fundamental rights of others. Therefore, this interest cannot be regarded as legitimate interest.
  • An interest of the third parties using the service to fight crime. On these points, the DPA noted that Article 6(1) GDPR excludes that public authorities can rely on legitimate interest within the context of exercising their duties. Therefore, also this interest cannot be regarded as legitimate interest.


Even though this test already fails as for the first conditions, the DPA decided to however go through the other two steps. As for the second step, the processing must be necessary to pursue the interest. The DPA found that this processing is not limited to what is strictly necessary, since the controller continuously collects an enormous quantity of data, even if it is not at all certain yet that the personal data in question are relevant for the searches.

As for the final step, the controller must operate a balancing of interests. The DPA noted that the controller failed to provide information about this balancing. Moreover, it recalled that this processing falls into the scope of Article 9 GDPR data, also involves children’s pictures and it is a large scale processing. Therefore, the interests and fundamental rights of data subjects are seriously infringed.

Moreover, since the data subject and the controller do not have any relationship, data subject cannot be considered to have any “reasonable expectation” (see Recital 47 GDPR) for their personal data to be processed in this way.

Finally, the controller does not put in place any safeguards to delete photos and data associated with them from the database once those photos are no longer published on the public internet.

Therefore, also this final step fails. More generally, the controller cannot rely on the legal basis provided for by Article 6(1)(f) GDPR for this processing.

On these grounds, the DPA found a violation of Article 5(1)(a) and 6(1) GDPR.

The processing of biometric data

The DPA noted that the processing at hand involves biometric data and is, therefore, forbidden according to Article 9(1) GDPR. The DPA pointed out that the only exception could be the one provided for by Article 9(2)(e) GDPR.

However, the DPA held that the mere circumstance that these personal data are found online does not mean that data subjects had the intention of making all those data accessible to the general public, explicitly and by clear affirmative action.

Therefore, the controller violated Article 9(1) GDPR.

Transparency obligations

The DPA held that the controller violated Article 12(1) and 14 GDPR since it failed to provide data subjects with the information set by Article 14 GDPR. According to the DPA, placing that information on the controller’s website is not enough. On the contrary, the controller should also take active steps to provide the data subject with the information in question.

Right of access

The DPA noted that the controller explicitly stated that it does not respond to access requests made by EEA data subjects. Moreover, in the case of the complainants, the controller did not reply to their access request. Therefore, the DPA found a violation of Article 12(3) GDPR read in conjunction with Article 15 GDPR.

Representative in the EU

According to Article 27(1) GDPR, if a controller is not established in the EU, it shall designate in writing a representative in the Union. However, the controller did not do so. Therefore, the DPA found a violation of Article 27 GDPR.

Sanctions and corrective measures

On these grounds, the DPA issued a fine of €30,500,000.

Moreover, it ordered the controller:

  1. to stop processing personal data of Dutch data subjects and to remove the personal data that Clearview unlawfully obtained;
  2. to provide data subjects with the information as referred to in Article 14 GDPR in a concise, transparent, intelligible and easily accessible form;
  3. to answer data subjects’ requests;
  4. to designate a representative in the EU


Finally, it ordered the controller to comply in three months, otherwise a penalty for non-compliance of €250,000 per month for each of the previous corrective measures is established.

Comment

The DPA pointed out that the controller could have submitted a notice of objection to the DPA within six weeks of the date the decision was sent. Since the controller has not submitted such a notice, the decision cannot be appealed.

Moreover, the DPA clarified that also simply using this tool is illegal.

Further Resources

See also the press release of the DPA here (NL) or here (EN).

English Translation of the Decision

The AP published an unofficial, though "complete and accurate" translation of the decision here.