By Robert Bateman
Facial-recognition company Clearview AI faces a barrage of legal issues after digital-rights groups filed complaints with five European data-protection authorities (DPAs) last week.
Privacy advocates behind several of the complaints told Digital Privacy News that Clearview practiced “mass surveillance” in violation of EU and U.K. laws.
“Clearview is creating a new and highly efficient capability for its clients to track, stalk and identify people in public spaces,” said Lucie Audibert, legal officer at U.K.-based nonprofit Privacy International.
“The ability to go about one’s life and participate in public life without fear from surveillance is a core component of privacy — and today, ‘public life’ obviously includes social media and the wider web.”
Clearview did not respond to a request for comment from Digital Privacy News.
Billions of Facial Images
Clearview has amassed a database of biometric information derived from more than 3 billion publicly available facial images. The New York-based company sells access to its database to law enforcement agencies seeking to identify suspects and victims of crime.
“Clearview is creating a new and highly efficient capability for its clients to track, stalk and identify people in public spaces.”Lucie Audibert, Privacy International.
The complaints — filed May 27 by nonprofit groups in Austria, France, Greece, Italy and the U.K. — accuse Clearview of violating Europe’s General Data Protection Regulation (GDPR), which took effect in 2018.
The company previously has denied offering its services in Europe. However, a Swedish police force was fined $304,000 in February after officers were found to have used Clearview on several occasions.
Subject to GDPR Rules
But Audibert told Digital Privacy News that by “indiscriminately collecting photos and other information” about Europeans, “processing photos to extract facial features,” and “storing that data indefinitely,” Clearview was liable under the GDPR — regardless of whether its services were available in Europe.
“Online users do have certain expectations about how the information they choose to divulge will be used, and who will see it,” she said.
“Indiscriminately collecting that information, and processing it to create a biometric database, clearly goes against the GDPR principles of fairness and purpose limitation.”
“If a U.S. company wants to play in the EU field, it has to follow the European rules and respect them.”Marina Zacharopoulou, Homo Digitalis, Greek nonprofit.
Marina Zacharopoulou, technical compliance manager at Athens-based nonprofit Homo Digitalis, which also filed a complaint against Clearview to the Greek DPA, said: “Clearview AI has to comply with the GDPR — and I am explicit regarding this matter.
“While Clearview AI denied that EU law applies to it, the Hamburg DPA … clarified that it has jurisdiction,” Zacharopoulou told Digital Privacy News.
In January, the Hamburg DPA stated that Clearview’s activities were unlawful in the EU and ordered the company to delete a Hamburg resident’s biometric information.
“If a U.S. company wants to play in the EU field, it has to follow the European rules and respect them,” Zacharopoulou said.
January’s Hamburg complaint was spearheaded by the Austrian nonprofit, the European Center for Digital Rights (None of Your Business — NOYB), which also filed a new complaint with the Austrian DPA last week as part of the coordinated effort against Clearview.
“As individuals, we are all entitled to determine who, how and for what our data will be processed,” Romain Robert, NOYB program director, told Digital Privacy News. “That’s the essence of the GDPR.
“Clearview clearly disregards that by collecting our data to create a commercial dataset, where the intrusion on my privacy is a source of risk,” he continued.
“What if I want to disappear from the internet?” Robert posed. “What if I made sure to separate any information of my private life on the different site?”
The five DPAs in receipt of the Clearview complaints have three months to respond. If successful, the complaints could result in a fine or an order to stop processing the personal data of people in the EU and U.K.
“As individuals, we are all entitled to determine who, how and for what our data will be processed.”Romain Robert, European Center for Digital Rights.
“The data-protection authorities have strong investigative powers — and we need a coordinated reaction,” said Zacharopoulou of Homo Digitales, “because this might be the end of privacy and human rights as we know them.”
Robert Bateman is a writer in Brighton, U.K.
- NOYB (None of Your Business): Digital Rights alliance file legal complaints against facial recognition company Clearview AI
- European Data Protection Board: Swedish DPA: Police unlawfully used facial recognition app | European Data Protection Board
- Digital Privacy News: Clearview’s Biometric Database Ruled ‘Illegal’ in Canada, EU