• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Italian Supervisory Authority imposes 20 million EUR fine on controller outside of Europe

March 11, 2022 By Yung Shin Van Der Sype and Wim Nauwelaerts

The Italian Garante per la Protezione dei dati Personali (‘Italian SA’) published a decision of February 10, 2022 in which it imposes a 20 million EUR fine on a company outside of Europe for violation of the EU General Data Protection Regulation (‘GDPR’).

Clearview AI is a U.S.-based company that provides search engine services involving facial recognition. The company collects images from social networks, blogs and, in general, from websites containing publicly accessible photos and videos, by using web scraping techniques. The images are subsequently processed and stored in the company’s database, so that when the search engine identifies a match, it can extract all related images from the database. These are then presented to the customer of the service, together with any associated metadata and links.

The Italian SA’s investigation followed several complaints and alerts about Clearview AI’s data processing practices.  Given that Clearview AI is headquartered in the U.S. and has no establishment in Europe, the Italian SA first had to determine whether the GDPR applies to Clearview AI’s processing activities.  Pursuant to Article 3(2) GDPR, the GDPR applies to the processing of personal data  of individuals who are in the European Union (‘EU’) by a controller or processor not established in the EU if the processing activities are related to either the offering of goods or services to those individuals, or if the activities relate to the monitoring of individuals’ behavior (as far as that behavior takes place in the EU).  In this particular case, the Italian SA confirmed the territorial applicability of the GDPR, as it found that Clearview AI provides services to individuals in the EU, in addition to monitoring their behavior.

Regarding the merits of the case, the Italian SA concluded that Clearview AI processed personal  – including biometric and geolocation data – unlawfully, as it did not have an appropriate legal basis for the processing. The Italian SA also took the view that Clearview AI had infringed fundamental principles of the GDPR, including the principles of transparency, purpose limitation, and storage limitation.

In light of these violations, the Italian SA imposed a fine of 20 million EUR on Clearview AI and ordered it to erase all personal data relating to individuals in Italy. The Italian SA also banned any further collection and processing of personal data relating to individuals in Italy through Clearview AI’s facial recognition system, and ordered Clearview AI to designate a representative in the EU (for purposes of complying with Article 27 GDPR).

This decision illustrates that European data protection regulators are increasingly focusing their enforcement efforts on companies that, despite the fact that they do not have a physical presence in Europe, are still required to comply with the GDPR (by virtue of by Article 3(2) GDPR).

Source: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9751362.

Filed Under: Data Protection, Enforcement, International

About Yung Shin Van Der Sype

Yung Shin is an associate with Alston & Bird’s Technology & Privacy Group and Privacy, Cyber & Data Strategy Team. She focuses her practice on IT law and HR-related matters, including privacy and data protection, IT contracts, and corporate security.

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.