Privacy, Technology and Perspective
Clearview AI is “Persona non Grata:” Clearview AI (Clearview) may be the world’s largest source of photographs and related biometric information, widely used in facial-recognition products. We have written about Clearview in previous posts, including the following post, entitled “Clear Views on Clearview AI”:
This week, the Italian Supervisory Authority (ISA) – a regulatory body responsible for enforcing GDPR and related privacy concerns in Italy – released its February 10 decision fining Clearview € 20 million for violations stemming from Clearview’s data collection and processing in Italy.
The ISA has also ordered Clearview:
– To stop collecting (by web scraping techniques) or processing personal data in Italy altogether;
– To erase the Italian personal data it has, subject to timely response to any data-subject access requests that may be pending; and
– To designate a representative within the European Union.
The ISA seemed to go out of its way to say that it launched this enforcement action on its own initiative after reading press reports of Clearview’s activities – not just because of the four complaints and two privacy-activist alerts it received about Clearview in 2021.
The ISA found specifically that Clearview has infringed a whole range of GDPR requirements, including:
– Processing personal data (including biometric and geolocation data) without an appropriate legal basis (specifically noting that the “legitimate interest of the US-based company” doesn’t qualify);
– Failing to provide transparency, purpose limitation, and storage limitations under the “fundamental principles” of the GDPR;
– Failing to provide data subjects with the information required to be given when their personal data is collected (GDPR Articles 13-14);
– Failing to respond in a timely manner to data-subject access requests (GDPR Article 15); and
– Failing to designate a representative within the European Union.
It appears, then, that unless and until it radically revamps its entire business model, Clearview is now persona non grata in the world’s 11th-largest economy.
That’s news. We draw two lessons from this:
National supervisory authorities in the European Economic Area are now experienced, serious, and aggressive.
Where one national supervisory authority leads, we expect that others will follow. They may wait for a period of time, to see if the respondent (here Clearview) makes the same changes in their countries that it may make in the country which imposed sanctions. But given the mandatory and EEA-wide scope of the GDPR, if the respondent simply pulls out of the sanctioning country and continues the sanctioned conduct everywhere else, we expect that most or all of the other national supervisory authorities would soon fine and effectively expel it too.
Non bene for Clearview.
To read the entire communication about the ISA’s Order, click on the following link:
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.