From Italy’s data protection agency, this press release today:
The Italian SA (Garante per la protezione dei dati personali) fined the US-based company Clearview AI EUR 20 million after finding it applied what amounted to biometric monitoring techniques also to individuals in the Italian territory.
The company reportedly owns a database including over 10 billion facial images from all over the world, which are extracted from public web sources (media outlets, social media, online videos) via web scraping. It offers a sophisticated search service which allows, through AI systems, creating profiles on the basis of the biometric data extracted from the images. The profiles can be enriched by information linked to those images such as image tags and geolocation or the source web pages.
The Italian SA’s inquiries were started also following complaints and alerts and found that Clearview AI – contrary to what was alleged – allows tracking Italian nationals and persons located in Italy. The findings showed that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis – since the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR including transparency – as it failed to adequately inform users -, purpose limitation – as it processed users’ data for purposes other than those for which they had been made available online -, and storage limitation – as it did not set out any data storage period. Thus, Clearview AI is violating data subjects’ freedoms including the protection of privacy and non-discrimination.
Based on the infringements found, the Italian SA fined Clearview AI EUR 20 million and ordered the company to erase the data relating to individuals in Italy; it banned any further collection and processing of the data through the company’s facial recognition system.
Clearview AI was finally ordered by the Italian SA to designate a representative in the EU to be addressed in addition to or instead of the US-based controller in order to facilitate exercise of data subject rights.
Rome, 9 March 2022