The Italian Garante per la Protezione dei dati Personali (‘Italian SA’) published a decision of February 10, 2022 in which it imposes a 20 million EUR fine on a company outside of Europe for violation of the EU General Data Protection Regulation (‘GDPR’).
Clearview AI is a U.S.-based company that provides search engine services involving facial recognition. The company collects images from social networks, blogs and, in general, from websites containing publicly accessible photos and videos, by using web scraping techniques. The images are subsequently processed and stored in the company’s database, so that when the search engine identifies a match, it can extract all related images from the database. These are then presented to the customer of the service, together with any associated metadata and links.
The Italian SA’s investigation followed several complaints and alerts about Clearview AI’s data processing practices. Given that Clearview AI is headquartered in the U.S. and has no establishment in Europe, the Italian SA first had to determine whether the GDPR applies to Clearview AI’s processing activities. Pursuant to Article 3(2) GDPR, the GDPR applies to the processing of personal data of individuals who are in the European Union (‘EU’) by a controller or processor not established in the EU if the processing activities are related to either the offering of goods or services to those individuals, or if the activities relate to the monitoring of individuals’ behavior (as far as that behavior takes place in the EU). In this particular case, the Italian SA confirmed the territorial applicability of the GDPR, as it found that Clearview AI provides services to individuals in the EU, in addition to monitoring their behavior.
Regarding the merits of the case, the Italian SA concluded that Clearview AI processed personal – including biometric and geolocation data – unlawfully, as it did not have an appropriate legal basis for the processing. The Italian SA also took the view that Clearview AI had infringed fundamental principles of the GDPR, including the principles of transparency, purpose limitation, and storage limitation.
In light of these violations, the Italian SA imposed a fine of 20 million EUR on Clearview AI and ordered it to erase all personal data relating to individuals in Italy. The Italian SA also banned any further collection and processing of personal data relating to individuals in Italy through Clearview AI’s facial recognition system, and ordered Clearview AI to designate a representative in the EU (for purposes of complying with Article 27 GDPR).
This decision illustrates that European data protection regulators are increasingly focusing their enforcement efforts on companies that, despite the fact that they do not have a physical presence in Europe, are still required to comply with the GDPR (by virtue of by Article 3(2) GDPR).