DSB (Austria) - 2022-0.277.156

From GDPRhub
DSB - 2022-0.277.156
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 3(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.05.2023
Published:
Fine: n/a
Parties: Clearview AI
National Case Number/Name: 2022-0.277.156
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: DSB (in DE)
Initial Contributor: mg

The Austrian DPA found that Clearview AI’s processing activities violated the GDPR. Nevertheless, it did not impose a fine nor ordered the controller to stop the processing.

English Summary

Facts

A data subject requested the controller – Clearview AI – to ban the processing of their personal data. Clearview is a US-based company whose business consists in scraping the web to collect pictures from several sources, finding correlations between pictures and indexing them. The database created in this way is accessible to Clearview’s clients by uploading a picture of the persons the clients are looking for. In this way clients have access to other pictures and related URLs.

The data subject lodged a complaint with the Austrian DPA as Clearview has no establishment in the EU. According to the data subject, the controller unlawfully processed personal data without a legal basis in violation of Articles 6(1) and 9 GDPR. The controller also violated the principle of purpose limitation and 27(2) GDPR, as it did not establish a representative in the EU. The data subject asked the Austrian DPA not only to order the controller to ban the processing of their data, but also to prevent the controller from processing personal data of other people living in the EU.

The controller claimed that GDPR was not applicable, as Clearview had no establishment in the EU, did not offer good or services in the EU, nor monitored people in the EU. The controller claimed that Clearview’s search tool gave access to less personal data than a search on general search engines. The controller did not analyse behaviour of data subjects whose picture were collected, nor profiled them in any way. The controller did not track users’ activities on the Internet, either.

The data subject replied that a series of linked pictures was nothing else than another form of monitoring. Moreover, the scraping and indexing of new pictures relating to individuals was continuous: as soon as a new photo popped up on the internet, it was collected by the controller to update this monitoring. A comparison with general search engines was incorrect, as the controller used a biometric criterion and the search produced only pictures of that individual. By contrast, typing a person’s name on search engines like Google gives access also to information that is not related to that individual.

Holding

Ascertaining the applicability of the GDPR at the facts at issue, the Austrian DPA addressed the question whether Article 3(2)(b) GDPR covered the processing activities undertaken by the controller. The DPA highlighted that Article 3(2) GDPR is very broad in its formulation: not only processing activities directly aiming at monitoring, but also processing activities “related to the monitoring” are covered. According to the supervisory authority, both profiling and tracking fall within the category of “monitoring”. For these reasons, the controller was subject to the GDPR.

The Austrian DPA found that the controller violated the principle of purpose limitation as the purpose for which Clearview processed personal data was different from the purposes for which data were published on the internet.

The controller also violated the principles of fairness and transparency – Article 5(1)(a) GDPR – since the data subject could not expect that their data were disclosed to Clearview’s clients, most notably law enforcement agencies. Article 9 GDPR was also violated by processing special categories of data – and more precisely biometric data – outside of the cases provided for by this provision.

The processing was therefore unlawful and the Austrian DPA ordered the controller to delete the data subject’s personal data. However, the Austrian DPA did not impose a ban on Clearview activities in the EU pursuant to Article 58(2)(f) GDPR, considering the deletion sufficient to enforce the regulation. The DPA claims the data subject had no subjective right to a ban.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.