The Dutch Data Protection Authority strikes again: €30,5 million fine for US AI provider

11 Sep 2024

A week after its €290 million fine against Uber, the Dutch Data Protection Authority (“AP”) strikes again with a fine of €30,5 million against Clearview AI Inc. (“Clearview”) for its alleged infringements of the General Data Protection Regulation (“GDPR”). If Clearview does not cease its infringements, it may incur additional penalties up to €5,1 million.

Activities of Clearview

Clearview is a US-based company without any branch or subsidiary in the EEA. According to its website, it offers services based on facial recognition technologies a.o. to law enforcement authorities and public defenders. Clearview’s facial recognition services would help identifying suspects, criminals and victims and have assisted in the identification of numerous child exploitation victims.

To support its activities, Clearview has created a database with over 30 billion images scraped from publicly accessible pages on the internet, such as news publications and social media platforms, irrespective of the territory under which the domain name has been registered. Clearview’s database therefore includes images of (and thus processes personal data from) data subjects in the EEA. Clearview updates and enriches its database over time with images, URLs and metadata, leading to an archive of continuously updated information on data subjects over a certain period of time.

Despite several investigations and fines from data protection authorities in Germany, Italy, the UK, Greece, France and Austria, Clearview failed to take actions to make its activities compliant to the GDPR. AP’s investigation into Clearview's activities follows two complaints from individuals whose photos were processed by Clearview, without their knowledge or consent.

Clearview consistently argues that its activities do not fall under the scope of application of the GDPR (cfr. infra). As such, it refused to collaborate with the investigation, resulting in the Dutch AP to rely upon publicly available data, findings by other supervisory authorities and her assumptions of the facts grounding the case.

Extraterritorial application of the GDPR

According to Clearview’s public statements, it is not subject to GDPR and its requirements. Clearview argues that, as a US-based company who is not offering services nor targeting the European market, it does not fall under the (extra-territorial) scope of the GDPR, as foreseen in Article 3 GDPR.

According to said article 3, foreign companies are still subject to the GDPR insofar they are processing personal data to:

(1) offer goods or services to data subjects in the EU, or

(2) monitor their behaviour, as far as this behaviour takes place within the EU.

The AP rules that Clearview falls under the scope of “monitoring” when it enriches its image database of a large amount of data subjects, on a continuous basis via webscraping practices.

The concept of monitoring under the GDPR remains rather vague and open for interpretation. Recital 24 GDPR clarifies that “it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

According to the AP’s findings, when proceeding to extended web scraping and data enrichment, Clearview creates a comprehensive archive of information on a specific data subject’s behaviour and appearance over a period of time (which would meet the element of tracking). Further, Clearview’s customers would be able to research the behaviour of persons in the pictures, such as their relationship status, parent status, place of residence, profession, smoking habits or ability to drive a car (which would meet the element of profiling, analysing and predicting behaviours). Therefore, Clearview is considered by the AP to monitor the behaviour of data subjects in the EU.

Infringements of Clearview

Once it has concluded that the extra-territorial scope was established, the AP rules that Clearview violated several provisions of the GDPR:

Processing personal data without a legal basis: AP concluded ex officio that Clearview could only rely upon its legitimate interests (art. 6(1)(f) GDPR) as a legal basis. However, this legitimate interest would not pass the 3-step assessment, mainly because Clearview’s operations (and thus freedom of enterprise) was exclusively based upon its infringement of data subjects their privacy (and fundamental rights). In addition, Clearview’s activities - which could expand up to the entire lifespan of an individual, without any restriction - allowed a disproportionate impact on the private life of data subjects, who cannot have any reasonable expectation regarding the processing of their data as they have no relation or contract whatsoever with Clearview.
Processing of biometric data without a legal basis: processing facial images for the purpose of uniquely identifying an individual is, in principle, prohibited by the GDPR, unless the controller can invoke an exception from art. 9 of the GDPR. Since Clearview could not do so, it is illegally processing biometric data.
Lack of transparency and information towards data subjects: Clearview failed to adequately inform data subjects about the processing of their personal data, thus violating the principle of transparency and the right to information of data subjects. The AP found that Clearview's privacy statements were incomplete and unclear, and that they did not provide the information required by Article 14 of the GDPR, such as the purposes and legal basis of the processing, the recipients and transfers of the data, the retention period, and the rights of the data subjects. The AP also found that Clearview did not make any efforts to directly provide the information to the data subjects.
Failure to facilitate and reply to the right of access: Clearview did not respond to access requests and did not facilitate data subjects to exercise their right of access. Instead, Clearview systematically stated that it does not respond to data subject requests.
Lack of representative in the EU: as a non-European entity subject to the GDPR, who is systematically processing biometric data of European data subjects, Clearview is obliged to designate a representative in the EU (Article 27(1) of the GDPR). However, the AP decided not to impose a fine for this violation because Clearview had already been fined for this by the Italian and Greek data protection authorities.

The AP’s findings resulted in a €30,5 million fine on Clearview and four injunctions, subject to penalty payments, to cease its ongoing violations and thus to:

Stop processing personal data of data subjects in the EU without a lawful basis and delete the data already processed,
Inform data subjects in the EU about the processing of their personal data and provide them with the information required by Article 14 of the GDPR,
Respond to the access requests of the complainants and any other data subjects in the Netherlands who request access to their personal data,
Appoint a representative in the EU and notify the AP and the EDPB of the contact details of the representative.

Our legal considerations

Clearview AI has already expressed its intention not to challenge the decision made by the AP. This decision is likely made not because it agrees with its content, but because it maintains that it is not subject to the GDPR and to the decisions of the European supervisory authorities.

If one can be pleased that the AP is attempting to bring foreign companies in line with the GDPR, it is clear that the decision raises a number of questions and concerns:

Did the AP, as other supervisory authorities before it, act too hastily when concluding that Clearview was conducting “monitoring” activities? In this regard, the AP refers to Recital 24 and the recommendations of the EDPB. While profiling and information enrichment for behaviour analysis and prediction undoubtedly fall within the scope of “monitoring”, one can argue that the mere activity of data collection via web scraping (including references) is more debatable. Yet the decision does not seem to distinguish between the two activities.
Furthermore, one might wonder why the AP first checks the legitimate interest under Article 6(1)(f), which reaches a negative conclusion, and then proceeds with a verification of a legal basis under Article 9. As soon as it concluded the processing of biometric data, should investigation of a legal basis under Article 9 not be sufficient?
The conclusion that Clearview did not undertake all the necessary means to inform the data subjects may seem surprising. It should be recalled in this regard that the controller cannot be required to provide this information to the data subjects if the efforts to do so are disproportionate. In the case of pure web scraping activities (without profiling or re-identification attempts, which would be undertaken by the customers), one might wonder if this is not the case.

Finally, the decision shows that the absence of collaboration and explanation during an investigation of a data protection authority is often not the best strategy to follow, even for foreign companies, as supervisory authorities will often take “worst case” scenarios or incorrect assumptions.

Webscraping, GDPR and the new AI Act

This decision illustrates the need, struggle (and risks) for companies to find trustworthy and lawful databases. While AI systems are becoming more present in today’s society, finding lawful training data seems to remain a challenge for many companies. Webscraping (internally or by a third party) is then often a tempting but risky option, which should not be considered without prior legal advice.

The decision made by the AP fits perfectly within the current context of the adoption of the EU AI Act. The untargeted scraping of facial images from the internet to create facial recognition databases, as well as real-time facial recognition technologies used by law enforcement authorities, are considered as a critical risk and will soon become prohibited in the EU following the entry into force of the AI Act last month. We expect that Clearview’s argument with regard to the (non-)application of a EU act will be tackled by the provision of the territorial scope of the new AI Act, which leaves less room for interpretation.

If you have any questions related to AI and data protection, don't hesitate to contact our IP, IT & Data lawyers.

Subscribe now

Receive updates on the news that matters to you

Contact us

Karin Winters

Lawyer - Partner, PwC Legal BV/SRL

+32 476 60 26 94

Loïc Delanghe

Lawyer - Senior Managing Associate, PwC Legal BV/SRL

+32 493 53 96 13

About us Careers News Our offices Services

© 2020 - 2025 PwC. PwC Legal. All rights reserved. PwC Legal is a separate and independent law firm that entered into a multidisciplinary cost sharing arrangement with PricewaterhouseCoopers Business Advisory Services BCVBA (PwC Business Advisory Services) which on its turn is a member of the network of member firms of PricewaterhouseCoopers International Limited (PwCIL). Neither PwC Business Advisory Services, nor PwCIL nor any of its member firms controls, acts as an agent of, or assumes liability for the acts or omissions of PwC Legal. Similarly, PwC Legal does not control, act as an agent of, or assumes liability for the acts or omissions of PwC Business Advisory Services, PwCIL or any other member firm.