The Dutch Data Protection Authority (Dutch DPA) has imposed a significant fine of €30.5 million ($33.7 million) against facial recognition firm Clearview AI. The fine was issued for violating the General Data Protection Regulation (GDPR) in the European Union (E.U.) by building what the authority described as an "illegal database with billions of photos of faces," including those of Dutch citizens.
"Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world," said Dutch DPA chairman Aleid Wolfsen in a press statement. He emphasized the risks posed by such technology, stating, "If there is a photo of you on the Internet – and doesn't that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China."
Clearview AI, a New York-based company, has faced regulatory scrutiny in several countries, including the U.K., Australia, France, and Italy. The company has been criticized for its practice of scraping publicly available images from the internet to build a vast database containing over 50 billion photos of people's faces. These images are used to assign unique biometric codes to individuals, which are then offered as part of intelligence and investigative services to law enforcement agencies to "rapidly identify suspects, persons of interest, and victims to help solve and prevent crimes."
The Dutch DPA has accused Clearview of collecting facial data without the consent or knowledge of the individuals involved. The authority also pointed out that the company "insufficiently" informs those in its database about how their data is used and fails to provide a mechanism for individuals to access their data upon request.
Currently, Clearview only offers residents of six U.S. states – California, Colorado, Connecticut, Oregon, Utah, and Virginia – the ability to access, delete, and opt out of profiling. The Dutch DPA also noted that Clearview did not cease its violations even after being investigated. The company was ordered to stop its practices immediately or face an additional fine of €5.1 million ($5.6 million). Moreover, the ruling bans Dutch companies from using Clearview's services.
"We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations," Wolfsen added. He mentioned that liability exists if directors know that GDPR is being violated, have the authority to stop it, but fail to do so, thereby consciously accepting the violations.
In response, Clearview argued that it does not fall under EU data protection regulations since it does not have a place of business in the Netherlands or the E.U. The company described the Dutch DPA's decision as "unlawful."
Earlier in June, Clearview settled a lawsuit in the U.S. state of Illinois over facial recognition privacy violations. The settlement granted plaintiffs a 23% stake in the company’s future value, rather than a traditional financial payout, though Clearview did not admit to any wrongdoing.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067