Clearview AI Fined $33.7 Million Over 'Illegal Database' of Faces

An anonymous reader quotes a report from the Associated Press: The Dutch data protection watchdog on Tuesday issued facial recognition startup Clearview AI with a fine of $33.7 million over its creation of what the agency called an "illegal database" of billion of photos of faces. The Netherlands' Data Protection Agency, or DPA, also warned Dutch companies that using Clearview's services is also banned. The data agency said that New York-based Clearview "has not objected to this decision and is therefore unable to appeal against the fine."

But in a statement emailed to The Associated Press, Clearview's chief legal officer, Jack Mulcaire, said that the decision is "unlawful, devoid of due process and is unenforceable." The Dutch agency said that building the database and insufficiently informing people whose images appear in the database amounted to serious breaches of the European Union's General Data Protection Regulation, or GDPR. "Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world," DPA chairman Aleid Wolfsen said in a statement. "If there is a photo of you on the Internet -- and doesn't that apply to all of us? -- then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China," he said. DPA said that if Clearview doesn't halt the breaches of the regulation, it faces noncompliance penalties of up to $5.6 million on top of the fine. Mulcaire said Clearview doesn't fall under EU data protection regulations. "Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR," he said.

Dutch residents?

[sconeu]

But does their database include photos of citizens of either the Netherlands or the EU? At that point, they do fall under GDPR, as I understand it.

Re:

[keckbug]

Are you "a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU."? If so, yes.

A plain reading of the GDPR scope clearly indicates that it apples to Clearview. The big question will be how the EU intends to enforce the penalties it seeks.

Re:

[Growlley]

use good ol fashioned amerkin methods and sub contract the job to the Boeing assassination divison.

Re:

[Registered Coward v2]

Are you "a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU."? If so, yes.

A plain reading of the GDPR scope clearly indicates that it apples to Clearview. The big question will be how the EU intends to enforce the penalties it seeks.

That’s the challenge with trying to extend laws beyond one’s border. First, if a company has no presence in your country nor sells to anyone there, why should your laws apply and how will you enforce them? While some may cheer “GDPR” I suspect it would be different if it was the US was demanding a Dutch company turn over user data on any persons with a US nexus.

Re:

[zlives]

ummm, swiss banks any one?
what ever mafia the hollywood is ...

Re:

[test321]

As a citizen you are free. You only might be breaking the law if you use those pictures as part of an *established business*. (The essential competence of the EU relates to the regulation of products and services made available on the market; not individual behaviours.)

Re:

[taustin]

If they have no presence or assets in the EU, the whether or not the EU wants it to apply is irrelevant, since they can't enforce it.

Re:

[VeryFluffyBunny]

Have you never heard of extradition? Even without out it, you can be tried & sentenced in absentia & never be able to set foot in a country without being arrested. The law's the law.

Re:

[taustin]

Have you never heard of extradition?

The US can pull that off with citizens of other countries. Good luck on the reverse, especially when the target can afford real lawyers.

Plus, this is a fine against the company, not against individuals. How do you propose to extradite a company?

Even without out it, you can be tried & sentenced in absentia & never be able to set foot in a country without being arrested.

I'm sure they're crushed at not being able to go to a country they never had any interest in going to in the first place.

The law's the law.

And sovereignty is sovereignty. And the US really doesn't give a shit about other countries' laws.

Re:

[VeryFluffyBunny]

I suspect that the US State Department don't share your sentiments on other countries' & regions' laws. Do you think the USA would like to earn the same reputation as Russia for being a safe harbour for international criminals? & do you think the FBI & their international investigations would still be received so well in countries where the US courts have been uncooperative? The EU can issue subpoenas to require certain employees of a corporation to appear before a court. There are a lot of coun

Re:

[taustin]

You clearly haven't been paying any attention at all for the last several decades. The US extradites foreign nationals who have never been to the US for things that violate US law, but not necessarily the laws of the country they're done it, all the time, and foreign governments cooperate.

The reverse doesn't happen, because the US is the king of the world.

Re:

[VeryFluffyBunny]

The country in question must submit an extradition request, first through diplomatic channels, i.e. the State Department, & then, if approved, to the DoJ (Process outlined here: https://www.justice.gov/jm/jm-... [justice.gov]). Yes, it's a long & difficult process & there are lots of ways for suspects to delay & contest their extradition. The US does not normally grant bail for international extradition. However, if they do this & the extradition goes ahead, you can imagine that the foreign court that

Re:

[Xenx]

At that point, they do fall under GDPR, as I understand it.

Like a lot of law questions, it depends. From what I see, the GDPR claims it applies by virtual of public international law. While doing some quick reading of interpretations, it only might apply. The specifics of when/how are beyond my desire to learn.

Re:

[test321]

I think, what Clearview is implying, is that having no place of business and no customers in NL or EU, they can't be made to pay. But it also means they can't ever do any business in EU, as they would have to first clear their past fines and it would not be worth.

Re:Dutch residents?

[thegarbz]

This! Yes the fine itself is unenforceable as it stands right now, but it is also a pre-emptive block. The EU (and the Netherlands especially) have a long history of fining / finding against people in absentee.

The thing is, while it sounds like it's an unfair price for market entry, this ruling isn't wrong. The GDPR protects the population and you can't enter a market at a later date and claim all the sins of the past were invalid because you simply didn't have a place of business in the EU. The fine here is pre-emptive, effectively letting the company know their database is not in compliance which will lead to some interesting discussions if they ever decide they *do* want to expand into the EU.

Re:Dutch residents?

[Local ID10T]

But does their database include photos of citizens of either the Netherlands or the EU? At that point, they do fall under GDPR, as I understand it.

That is what is known as extra-jurisdictional reach.

It is illegal to post about the Tiananmen square massacre under Chinese law. I am not subject to Chinese law and thus can say whatever I want -but it is still a violation of Chinese law: they just cannot enforce it upon me. Clearview is based in NY, USA. They are subject to US law, and New York law. Any other laws can only be enforced on them with the agreement of the US government (which wont happen), or by force of arms (which would be defended by the US government/military).

Most international legal violations are resolved voluntarily due to business interests. If the owners of Clearview are careful they have no business interests that the Netherlands government can use to put pressure on them to comply. They could issue an international arrest warrant for the executives -if they are found traveling within the EU they could be detained, but that would create a diplomatic incident with the USA (as the executives are US citizens and have not broken US laws).

The EU will have to negotiate with the USA to convince the USA to change its laws to stop this type of violation. It is unlikely to succeed.

Re: Dutch residents?

[the_povinator]

That's only true for the USA because the USA has the biggest bombs.

Re:

[sarren1901]

They have no business footprint there. How can you possibly think they have jurisdiction in this scenario? What you gonna do, raid their USA office? Highly unlikely. Clearview isn't in that market in any capacity.

The quiet part is clearview has probably sold this database to any and every government that exist because government is all about spying on it's citizens with facial recognition. Isn't this pretty much used at all airports these days?

Not saying I agree with it but I can't see how the EU or an indi

Re:Dutch residents?

[tlhIngan]

It might be important if some LEO in the US wants to extradite an EU citizen though.

Because if Clearview AI is illegal in the EU, it's also illegal to use it as evidence in the EU. So if you want to extradite some EU citizen over some crime, and you used Clearview AI's servicse to obtain the identity, then basically you're screwed.

That evidence was illegal evidence and you're going to need a lot more information to justify extradition.

Remember, in a trial for extradition, you need to show you have sufficient evidence to convict, and evidence that was obtained illegally in the country is still illegal evidence even if it's critical to your case, which can mean the extradition fails and crime goes unpunished.

So yes, it can be useful on US soil, against US citizens, but if it comes up with someone from Australia, the EU or other countries, suddenly hearts should start sinking because the use of it has basically made it impossible to prosecute. They can be tried in absentia but that's not really a big win as the guy is still free.

Re:

[Teun]

If I was clearview, I'd tell them to shove their fine where the sun don't shine. They literally have no way to punish clearview here.

The boss of Telegram might differ on this presumption :)

Clearview won't last much longer

[Anonymous Cward]

They've been fined internationally. France, Italy, Australia already ruled against them. Californians should go after them next, and bring the battle back to the states.

Re:

[Registered Coward v2]

They've been fined internationally. France, Italy, Australia already ruled against them. Californians should go after them next, and bring the battle back to the states.

And unless they do business there they can simply ignore the fines, just as Dutch company would ignore judgements under the ADA or fines by say, Iran. The only risk is to an employee that might wind up in a country that fined them.

Re:

[ermarch]

Pavel Durov can testify that any CEO not abiding to the low risks being detained.

Re:

[AmiMoJo]

It means they can't expand into the EU, limiting their market. That's a good thing, we don't want companies like Clearview operating here.

Re:

[jaa101]

Australia's privacy regulator has recently announced that it's stopped pursuing Clearview. [theguardian.com] Their original ruling still stands but they've never collected any fines nor even had any confirmation from Clearview that they've complied with the order to cease collecting images and to delete those already collected.

That'll show 'em!

[jenningsthecat]

Even if they could collect the fine - which it seems they can't - call it $35 million for 1 billion faces. At 35 cents per face, that's gotta hurt. /sarc

But I guess it establishes a precedent which - theoretically - in effect prevents Clearview from doing any business in the EU. I say "theoretically" because any European businesses that wish to use Clearview's services can probably do so without their governments knowing about it.

Re:

[Growlley]

hard to keep hiden if eu 'victims' complain

Re:

[Teun]

Like several did when MAGA supporters started to use their photo's in pro-Trump postings.
I assume I don't have to mention they were posted by fake accounts, after all, it involved Trump.

Re:

[chas.williams]

Check your math. 35e6/1e9 * 100 = 3.5 cents/image.

What a bargain!

[chas.williams]

That's about $0.02 per image. Did ClearviewAI have to delete the database or can they still keep monetizing it?

Sigh.

[ledow]

"If there is a photo of you on the Internet -- and doesn't that apply to all of us? -- then you can end up in the database of Clearview and be tracked"

And without explicit consent, and if your software is scraping images hosted in the EU, you have just not only "done business in the EU" but broken data protection laws in that jurisdiction.

And if you scraped images of kids? Ouch. Good luck with that. Not even schools are allowed to post images of kids without prior written consent in most EU jurisfictions

Enforcement?

[destined2fail1990]

There is no way they can enforce this apart from trying to arrest the CEO and getting America to do its bidding.

The problem though is, if they are using a .com domain for their website, or any other US based domain names (IE: that don't end in .uk or similar) then that's their fault, not Clearwire's. There is currently no way to distinguish where a website is based reliably. Some websites have addresses, but not all, and Cloudflare prevents the use of IP addresses to determine location.

Texas has laws

Not Enough - Purge all the Data!

[BrendaEM]

Well, they just bought the data, nice and square, if they are let keep it.