Facial recognition: Italian SA fines Clearview AI EUR 20 million

Mar 10, 2022

Source: European Data Protection Board

Background information

Date of final decision: 10 February 2022
Cross-border case or national case: national case, Article 3(2) applies
Controller: Clearview AI Inc.
Legal Reference:  Principles relating to processing of personal data (Article 5(1)(a)(b)(e)); Lawfulness of processing (Article 6); Processing of special categories of personal data (Article 9); Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12); Information to be provided where personal data are collected from the data subject (Article 13); Information to be provided where personal data have not been obtained from the data subject (Article 14); Right of access by the data subject (Article 15); Representatives of controllers not established in the Union (Article 27).
Decision:  The Italian SA imposed a fine amounting to EUR 20 million, imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by the Company’s facial recognition system with regard to persons in the Italian territory and the designation of a representative in the territory of the European Union.
Key words:  Web Scraping, Images Database, Facial Recognition, Biometric Data, AI systems, Geolocation, Jurisdiction under EU law, Representative in the EU.

 

Summary of the Decision

Origin of the case

The Italian SA launched an own volition proceeding following press reports on several issues in connection with facial recognition products which were offered by the Clearview AI Inc. Moreover, the Garante received, during 2021, four complaints and two alerts by two organisations that are active in the field of protecting privacy and the fundamental rights of individuals against Clearview.

Key Findings

The inquiries and assessment by the Italian SA found several infringements by Clearview AI Inc. The personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis – since the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation; it failed to provide the information set out by Article 13-14, to provide information on an action taken on a request under Article 15 within the due timeframe, and to designate a representative in the EU.

Decision

The Italian SA imposed a fine amounting to EUR 20 million.
Additionally, the Italian SA:

imposed a ban on any further collection, by way of web scraping techniques, of images and the relevant metadata concerning persons in the Italian territory and on further processing of the standard and biometric data that are handled by the Company via its facial recognition system and concern persons in the Italian territory;
ordered erasure of the data, including biometric data, processed by its facial recognition system with regard to persons in the Italian territory, subject to the obligation to timely reply to such requests for the exercise of the rights under Articles 15 to 22 of the Regulation as may have been received  from data subjects in accordance with Article 12(3) of the Regulation;
ordered the Company to designate a representative in the territory of the European Union.

For further information:
Ordinanza ingiunzione nei confronti di Clearview AI – 10 febbraio 2022 (IT)

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Recent news

EDPB calls for coherence of digital legislation with the GDPR

Brussels, 04 December - During its December 2024 plenary, the European Data Protection Board (EDPB) adopted a statement on the second report of the European Commission on the application of the General Data Protection Regulation (GDPR).* In its statement, the EDPB...

read more

EDPB stakeholder event AI models

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics.    During today’s event, the EDPB will collect input for of the preparation of a...

read more