Privacy & Cybersecurity Law Blog

On September 3, 2024, the Dutch Data Protection Authority (“Dutch DPA”) announced a €30.5 million fine against Clearview AI for the processing of personal data related to its biometric data database. The decision is dated May 16, 2024. The Dutch DPA follows other European data protection authorities that have previously fined Clearview AI for similar practices, such as the CNIL.

According to the Dutch DPA, Clearview AI has a database with more than 30 billion photos of individuals. After collecting these photos from the Internet, Clearview AI converts each photo into a unique biometric code. Clearview AI’s services are then offered to law enforcement for facial recognition purposes.

In its decision, the Dutch DPA stresses that the unique biometric codes connected to the images in Clearview AI’s database are biometric data, and that Clearview AI cannot rely on any of the Article 9 exceptions to the general prohibition of processing sensitive data under the EU General Data Protection Regulation (“GDPR”), making its processing of such data unlawful. Furthermore, the Dutch DPA considered that Clearview AI does not comply with the GDPR rules for provision of information to individuals, nor does it cooperate with individuals when they request access to their personal data as per its GDPR obligations.

In addition to the fine, the Dutch DPA has ordered Clearview AI to cease the unlawful behavior. If Clearview AI does not comply with this order, it will be subject to an additional penalty.

Read the Decision.