Garante per la protezione dei dati personali (Italy) - 9751362
|Garante per la protezione dei dati personali (Italy) - 9751362|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(b) GDPR|
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 27 GDPR
|National Case Number/Name:||9751362|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali (in IT)|
The Italian DPA fined Clearview € 20,000,000 (twenty million) for conducting facial recognition on public web sources thereby contravening Articles 5(1)(a), (b) and (e), 6, 9, 12, 13, 14, 15 and 27 GDPR, and directed for deletion of personal data.
Clearview A.I. Inc. (Clearview) is a company conducting facial recognition on public web sources and is the data controller. Four data subjects had sought information from Clearview under Article 15 GDPR. Clearview replied to three of them and provided “special reports” containing the results obtained through the Clearview software. In 2021, these data subjects complained to the Italian DPA (Garante per la protezione dei dati personali) regarding the processing of their personal data by Clearview, without their consent. In addition, two “organisations committed to defending the privacy and fundamental rights of individuals” submitted information about precedents in Germany and Sweden, and their reports on activities of Clearview to the DPA. Based on the press reports on the activities of Clearview and the complaints submitted to it, the DPA opened an investigation.
Before the DPA, Clearview submitted as follows:
• Since 2019, law enforcement agencies in the United States (US) were using Clearview, “especially in the context of child pornography investigations”. This generated international interest and several European government agencies signed up for a test account for a short time.
• In March 2020, following complaints by regulators in European Union (EU), these test accounts, which were very few, were closed.
• Clearview does not have any customers in the EU, and it ensures the same through “specific setting that prevents access to the software via European IP addresses.”
• Clearview’s technology is used by law enforcement agencies and assists them in identifying criminals. As per Clearview’s terms, it is the responsibility of its customers to “verify that the use of this product is legitimate in light of the local regulations applicable to it.”
• Clearview contractually requires its users to conduct further investigations and independently corroborate information collected using Clearview.
• Clearview is based in the US and has no branch in the EU. It neither offers its services in the EU nor monitors behaviour.
• Clearview did expand to Canada but ceased all its activities in Canada following the proceedings initiated by the Canadian Privacy Commissioners. This expansion cannot be considered to demonstrate its intention of entering the Italian market.
• Journalistic sources cannot be relied upon as they are speculative.
• The Swedish decision was concerning the above test accounts that existed for a short period and were available to Swedish police forces.
• Clearview did not conduct any behavioural analysis or use any profiling techniques. Collection of data, even of significant volume, does not automatically constitute profiling.
• The Data Controller is Clearview’s customer (i.e. police forces) and not Clearview itself, and this was held by the Swedish authority.
• Clearview “does not collect or provide any information about the location, browser history, business activity or behaviour of the natural person who appears as a search result and does not imply any behavioural, predictive or analytical modeling. The information that can be obtained about an individual using Clearview's search engine is less meaningful than the information that can be obtained from a Google Search based on that individual's name, and no one is claiming that a Google browser search constitutes behavioral monitoring.”
• Clearview is compliant with US law and it is impossible to take into account all existing laws in a globalized world. “Moreover, since Google's search engine is presumed to comply with European laws because Google is established in the EU and offers its services to users in the EU, if the Regulation were also found to apply to Clearview, the processing of the complainant's data should be considered lawful”.
• Clearview voluntarily complies with requests for access from European residents, even though it is not bound to do so.
The DPA determined as follows:
• Clearview “not only collects images to make them accessible to its customers, but also processes the collected images by web scraping, through a proprietary facial matching algorithm, in order to provide a highly qualified biometric search service.” As per its website, the free service is not available to the public but only to certain category of customers (i.e. police forces). Therefore, “the platform offered by Clearview assumes peculiar characteristics that differentiate it from a common search engine that does not process or enrich images present on the network. In particular, Clearview does not work on cache memory, but creates a database of snapshots of images that are stored as present at the time of collection and not updated. Moreover, as mentioned above, Clearview processes these images with biometric techniques, hashes them and associates them with any available metadata”. Thus, its services are not like those being offered by Google.
• Clearview is the data controller as it “uses its own means to collect images and subsequently transform them into biometric data, and has a proprietary database in which the information is stored and extracted as a result of the search performed by the user. The purpose pursued by Clearview is therefore that of making available, in return for a fee, information such as images and metadata, useful to customers for the pursuit of different and additional purposes.”
• The DPA has jurisdiction and GDPR is applicable to Clearview as it once did offer its services to European users. Moreover, Clearview’s activities, as revealed from its patent application filed in the US constitute “monitoring of behaviour”. In addition, Clearview’s website states, “the data collected include not only photographs available to the public and available on the Internet, but also information that can be extracted from those photographs, such as the geolocation metadata that they may contain, as well as information derived from the analysis of the faces of the persons depicted and which, as such, constitute biometric data on the basis of which the comparison process is carried out.” Accordingly, Article 3(2) GDPR is applicable. Moreover, the issue of DPA’s jurisdiction and powers qua Clearview has also been decided by CNIL in a different matter.
• The photographic image of a person, as long as the person is identified or identifiable, constitutes personal data. The fact that the photographs were already available on the internet “is not sufficient to consider that data subjects can reasonably expect them to be used for facial recognition purposes, moreover by a private platform, not established in the EU and of whose existence and activity most data subjects are unaware.” Web Scraping activities are almost always prohibited by social media platforms and press reports have shown that “Twitter, Youtube, LinkedIn have sent Clearview a cease and desist letter to stop collecting data that can be used to identify a person.”
• Clearview not only collected personal data but through further processing converted a photograph into biometric data.
• Clearview did not comply with Article 5(1)(a) GDPR “which requires compliance with the principles of lawfulness, fairness and transparency in the processing of data with regard to the data subject”.
• Clearview violated Article 5(1)(b) GDPR which “provides for compliance with the principle of purpose limitation.”
• Clearview did not have any valid basis under Article 6 GDPR for the processing of personal data. It’s claimed legitimate economic interest “cannot but be at odds with the rights and freedoms of the persons concerned, and in particular with the serious threat to the right to privacy, the prohibition of automated processing and the principle of non-discrimination inherent in the processing of personal data such as that carried out by the Company.”
• Clearview violated Article 9 GDPR due to its “processing of special categories of data (with reference to biometric data).”
• Clearview violated Articles 12, 13, 14 and 15 GDPR as the data subjects “had to repeat their requests for access several times before receiving a reply from Clearview, despite the fact that the contact channels indicated on the company's website (online form and e-mail address dedicated to privacy requests) had been used.” Moreover, “Clearview, in order to process requests for access, has asked the interested parties to provide identification, such as an identity document, which is excessive in relation to the objective pursued” as there were no “reasonable doubts” as to the identity of the data subjects. Clearview did not provide timely, complete, up to date, “precise and transparent communication” to the data subjects.
• Clearview breached Article 27 GDPR by not having its representative in the territory of the EU.
• There were no grounds to determine a violation of Article 22 GDPR as Clearview had “not provided any specific evidence in this regard, and no technical system elements are currently available that could corroborate the thesis of the existence of automated processing.”
Clearview’s violations were considered to be serious as they were akin to mass surveillance. They were not isolated events and continued even after “service was no longer offered to customers established in the European Union.” Thus, the DPA directed Clearview to do the following:
• “prohibit the processing of: i) further collection, by means of web scraping techniques, of images and related metadata concerning persons who are on Italian territory; ii) prohibition of any further processing of common and biometric data processed by the Company through its facial recognition system concerning persons who are on Italian territory.”
• Delete the “aforementioned data, without prejudice to the obligation to provide timely feedback to requests to exercise the rights” given under Articles 15-22 GDPR, “which may have been received in the meantime from interested parties. In the latter cases, in order to facilitate the exercise of rights by the data subjects, the response must be provided in accordance with the timeframe and procedures set out” in Article 12(3) GDPR.
• Designate within thirty days “a representative in the Italian territory to act as interlocutor, in addition to or instead of the data controller, with the interested parties in order to facilitate the exercise of their rights.”
• Provide “adequately documented feedback, within thirty days of notification of this measure, of the initiatives taken to implement the above order” and “measures put in place to facilitate the exercise of the rights of the persons concerned.”
• Pay a cumulative sum of € 20,000,000 (twenty million) for contravening Articles 5(1)(a), (b) and (e), 6, 9, 12, 13, 14, 15 and 27 GDPR.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.