HDPA (Greece) - 35/2022
HDPA - 35/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 12 GDPR Article 14 GDPR Article 15 GDPR Article 27 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.05.2021 |
Decided: | 13.07.2022 |
Published: | 15.07.2022 |
Fine: | 20,000,000 EUR |
Parties: | Clearview AI Inc Homo Digitalis |
National Case Number/Name: | 35/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Jette |
The Greek DPA fined Clearview AI €20,000,000 for unlawful processing of biometric data and ordered it to stop the collection of such data, as well as to delete all existing data.
English Summary
Facts
The controller (Clearview AI) sells personal identification services, including facial recognition software to law enforcement agencies in the US. The data subjects are the people in Greece.
The data subject submitted an access request with the controller. However, she was not satisfied with how the controller handled her request. Homo Digitalis, a non-profit dedicated to the protection of internet users in Greece, submitted a complaint with the DPA on behalf of the data subject.
Holding
The DPA noted that GDPR is applicable, because Clearview AI uses its software to monitor the behavior of people in Greece, even though the company is based in the U.S. and does not offer its services in Greece or the EU. The DPA further found that the data processing had no legal basis and that there was a lack of transparency concerning the processing operations. Collecting images for a biometric search engine is illegal.
The DPA held that the controller violated the principles of legality and transparency (Article 5(1)(a), 6 and 9 GDPR) as well as its obligations under Article 12, 14, 15 and 27 GDPR.
The DPA fined the controller €20,000,000 for these violations.
The DPA further ordered the controller (1) to satisfy the data subject's access request. In addition, (2) to stop the collection and processing of personal data of subjects located in Greek territory, using methods involved in the facial recognition service and (3) to delete such existing data. Lastly the DPA ordered the controller (4) to appoint a representative in the EU, to enable EU citizens to exercise their rights more easily and so regulators have a contact person in the EU.
Comment
An alliance of organizations, including noyb, Privacy International (PI), Hermes Center, and Homo Digitalis, filed a series of complaints against Clearview AI Inc. in May 2021. The company claims to have "the largest known database of more than 10 billion facial images" and is aiming to reach 100 billion within the next year to make almost every person worldwide identifiable. The images for this come from social media accounts and other online sources. Complaints have been filed with data protection authorities in France, Austria, Italy, Greece and the United Kingdom.[1]
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
1-3 Kifisias St., 11523 Athens, Tel: 210 6475600, Fax: 210 6475628, contact@dpa.gr / www.dpa.gr Athens, 13-07-2022 Prot. No.: 1809 DECISION 35/2022 The Personal Data Protection Authority met in a meeting via teleconference on 04-19-2022, following the meeting of 03-29-2022, after invitation of its President, in order to consider the case referred to history of the present. The President of the Authority, Konstantinos Menoudakos and the regular members of the Authority, Grigorios Tsolias and Christos Kalloniatis as rapporteurs, Spyridon Vlachopoulos, Konstantinos Lambrinoudakis, Charalambos Anthopoulos and Ekaterini Iliadou. Present, without the right to vote, were Fotini Karvela, Maria Alikakou, Anastasia Kaniklidou, Kyriaki Karakasi, legal auditors - lawyers as well as and Georgios Rousopoulos and Pantelis Kammas, IT auditors, as assistants rapporteurs and Irini Papageorgopoulou, employee of the administrative department affairs, as secretary. The Authority took into account the following: With the no. prot. C/EIS/3458/26-05-2021 complaint, which was submitted to the Authority by the Urban Non-Profit Company under the name "Homo Digitalis" for account of the complainant, A, a violation of the right is complained of in principle of access exercised by the latter before the establishment in the U.S. company Clearview AI (214 W 29th St, 2nd Floor, New York City, NY, 10001). The said complaint, which also requests the examination of the arrest records of each company in terms of privacy, it was filed at the same time as four other relevant content such before the supervisory authorities of Austria, the of France, Italy and the United Kingdom, with a view to pursuing one coordinated response to the practices of the above company by the authorities supervisory bodies. 2 In the context of the case under consideration, the complainant sent on 03-24-2021 electronic message to the complained company, exercising it according to article 15 thereof General Data Protection Regulation (Regulation (EU) 2016/679 - hereinafter, GDPR) right of access to its personal data, which is processed by the said company, while on the same date he received confirmation of the successful receipt of the aforementioned request from the recipient thereof. Subsequently, on 26-04-2021 the complainant reinstated the above request with a relevant reminder message to the complainant. On 04-30-2021 the above complainant was informed by a representative of Clearview AI that the above request submitted by e-mail was not detected she was asked to attach her photo in order to forward her request as urgent, in case he has used an email address other than that one through which he submitted the disputed request for the first time. The complainant, on 05-05- 2021 and in response to the above sent the email from 03-24-2021 confirmation of receipt of her request by the defendant, while on 26-05-2021 she submitted before the Authority the complaint under consideration. The Authority, in the context of examining the above complaint, with no. prot. C/EIS/4752/16- 07-2021 her document, she addressed the complained company and, after reminding the provisions of articles 3 par. 2 and 27 of the GDPR regarding the territorial scope of GDPR and on representatives of controllers or non-processors established in the European Union (hereinafter: EU), requested from the company in question information about the details of its representative in the E.E., if it is based in a country outside the EU. For the case where the company has an establishment within the EU, a series of questions were asked to be answered about his identity controller or processor for the subject processing, the possibility of having more than one of its facilities data controller or the data processor on EU territory. and indication of the main installation in case of existence of several such. In addition, and in continuation of the above questions, the clarification of its nature was requested processing as cross-border or in the sense that it is carried out in the context of activities of any more facilities of the complainant in more Member States, either in the sense that it affects or can significantly affect