AN - 2185/2021
Audiencia Nacional - Sala Cont-Admtvo - 0002185/2021 | |
---|---|
Court: | Audiencia Nacional - Sala Cont-Admtvo (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 3(2)(b) GDPR Ley 29/1998, de 13 de julio, reguladora de la Jurisdicción Contencioso-administrativa |
Decided: | 12.07.2024 |
Published: | 16.07.2024 |
Parties: | AEPD |
National Case Number/Name: | 0002185/2021 |
European Case Law Identifier: | |
Appeal from: | AEPD E/04461/2021 |
Appeal to: | Unknown |
Original Language(s): | Spanish |
Original Source: | Audiencia Nacional - Sala Cont-Admtvo (in Spanish) |
Initial Contributor: | lm |
The Court found the Spanish DPA competent to resolve a complaint against US-based Clearview AI, and thus ordered the DPA to admit and process the complaint.
English Summary
Facts
Clearview AI Inc. (the controller) is a facial recognition company established in the United States. The controller permits users to upload an image of a person’s face and scrape the internet for other photos of them, as well as the URLs where those photos are found. Frequently, these searches identify a data subject’s social media accounts or other webpages that disclose further personal data about them.
In February 2020, September 2020 and January 2021, the data subject submitted access requests as well as objections to processing to the controller via the email address privacy@clearview.ai. The controller did not respond until 29 January 2021, when it instructed the data subject to exercise its rights using a web form. The data subject submitted the form but did not receive a response. In March 2021 the data subject sent another email to the controller attempting to exercise their rights. The controller again responded by instructing them to fill out the web form.
On 10 March 2021, the data subject filed a complaint with the Spanish DPA (AEPD) alleging infringements of Articles 15, 17 and 21 GDPR. Before admitting the complaint for processing, the AEPD transferred it to the controller and requested a report on the causes of the incidents as well as measures to avoid similar situations. The AEPD did not receive a response from the controller. On 22 March 2021, the controller responded to the data subject only with regard to their access request.
In September 2021, the AEPD archived the complaint on the basis that it lacked competence because the controller did not come within the scope of Article 3(2)(b) GDPR. This provision applies the GDPR to controllers established outside of the EU – in this case, the US – when they offer services to data subjects in the Union. The AEPD considered that these circumstances do not exist in this case.
The data subject initiated proceedings before Spain’s National Court, Chamber of the Contentious-Administrative (the Court) to challenge the AEPD’s dismissal. It argued that the AEPD is competent to handle the complaint because Clearview processed EU data subjects’ data, including special categories of data under Article 9 GDPR, bringing it within the scope of Article 3(2)(b) GDPR. Specifically, the controller processes photographs “through specific technical means allowing the unique identification or authentication of a natural person”—a type of processing that Recital 51 GDPR explicitly considers processing of a special category of data. The data subject requested that the AEPD’s dismissal be annulled and that the Court:
- Order the AEPD to recognize its competence to resolve the complaint.
- Order the AEPD to initiate sanctioning proceedings and find infringements of Articles 6, 9, 14, 15 and 17 GDPR.
Holding
The Court partially upheld and partially rejected the appeal. It upheld the appeal with relation to the first request, finding that the DPA was competent to resolve the complaint under the GDPR and thus must admit and process the data subject’s complaint. The Court rejected the second request because the data subject did not have standing to request a Court to order a DPA to sanction a controller.
Request to Order the AEPD to Initiate Sanctioning Proceedings
The Court rejected the data subject’s request that the Court order the AEPD to initiate sanctioning proceedings.
The Court reiterated the Supreme Tribunal’s prior jurisprudence noting that complainants do not have a subjective right or legitimate interest in sanctioning a defendant. While complainants have sometimes been found to have standing to challenge dismissal decisions, they do not have standing to challenge final administrative decisions. (Supreme Court’s sentence of 6 October 2009, no. 4.712/2005) This punitive power is entrusted solely to the administrative entity – in this case, the AEPD. As a result, data subjects do not have standing to challenge DPA decisions on the outcome of a case, nor can they request courts to impose administrative sanctions that were not imposed by the DPA. By the same logic, contentious-administrative courts can control the legality of administrative acts in sanctioning matters, but they cannot impose administrative sanctions that were not imposed by the Administration.
Request to Order the AEPD to Resolve the Complaint
The Court held that a data subject does have standing to challenge a decision issued in a procedure for the protection of rights where an authority rejects the claim filed. It found that the AEPD was obligated to resolve the complaint, and that it thus erred in its dismissal.
The Court rejected the AEPD’s finding that it lacked competence to resolve the complaint. It agreed with the data subject as well as DPAs in Hamburg, the Netherlands, France, Greece, Italy and the UK that the controller, in processing and scraping the personal data of European users, is processing data and thus within the scope of Article 3(2)(b) GDPR. Article 3(2)(b) GDPR does not mean that processing must have the purpose of controlling behavior of the data subjects; it only requires that the processing be ‘linked’ to the data subject.
In particular, the Court relied heavily on the French DPA’s (CNIL) decision of 26 November 2021, in which it identified Clearview AI Inc. as coming within the scope of Article 3(2)(b) GDPR. The CNIL considered the extent of the controller’s processing, including scraping the web for photos of data subjects, the URLs where those photos are, the metadata contained in photos. The purpose of Clearview’s technology, the CNIL concluded, is identifying, finding information on and creating a detailed profile about an individual. The Court also noted that the Italian DPA (Garante) fined Clearview AI €20 million for its unlawful processing of data subjects in Italian territory, prohibited further processing and ordered it to designate a DPO in the EU. The Court agreed with the CNIL and the Garante that the controller falls within the scope of the GDPR and that Member State DPAs are thus competent to resolve complaints involving the controller.
For those reasons, the Court partially upheld the appeal and ordered the AEPD to admit and process the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.