Clearview AI data deemed illegal in Austria
The Austrian Data Protection Authority (DSB) has issued a decision in which it found Clearview AI in violation of several Articles of the Data Protection Regulation (Regulation (EU) 2016/679), in particular:
- Article 5(1)(a): the processing of the personal data lacked lawfulness, fairness and transparency;
- Article 5(1)(b): the processing serves a completely different purpose from the original publication of the personal data;
- Article 6(1): the interests of the data subject outweighed the commercial interests of Clearview AI; and
- Article 9(1): the scanning of the complainant’s face and the extraction of his uniquely identifying facial features constitutes processing of special categories of personal data.
What is Clearview AI?
Clearview AI is a company that sells facial recognition software to US law enforcement agencies.
It claims to have the “largest known database of more than 10 billion facial images” and aims to reach 100 billion to make almost every person worldwide identifiable. The images come from social media and other online sources.
Clearview AI uses its software to monitor the behaviour of people in Austria, despite being based in the US and not offering its services in Austria.
The decision
Following a complaint by an individual whose images had been collected, the DSB held that Clearview AI is no longer allowed to process biometric data and must delete all personal data of the complainant.
Additionally, Clearview AI is required to appoint a representative in the EU, in accordance with Article 27, as it monitors the behaviour of EU residents. This will also enable EU citizens to exercise their rights more easily and have a point of contact in the EU.
On the breach of Article 5(1), the DSB explained that there was no lawful basis for processing. The processing could not be lawful and was unfair as the complainant could not expect their photographs to be added to a database by Clearview AI and made available to its clients (including the US law enforcement agencies).
DSB found Clearview AI to have violated Article 9 as there was no legitimate interest available as the right of the complainant outweighed the interests of Clearview AI, resulting in a serious interference with the complainant’s privacy. There was also a breach of this Article as the DSB notes that the processing fell within the scope of ‘biometric data’ and so fell within ‘special categories of personal information’.
In light of the breaches, DSB concluded the processing of the complainant’s personal data was unlawful and ordered Clearview AI to delete the data in accordance with Article 17(1).
Unlike the French, Italian, Greek and UK regulators, the DSB elected not to issue a fine in response to the complaint and investigation. DSB did not consider it necessary to order a general ban of Clearview AI but indicated that it may later decide to do so.
This is not the first decision made against Clearview AI, it follows the decision made in France, Greece, Italy and the UK. These authorities prohibited the collection and processing of data by Clearview AI.
If you have any queries about anything in this article or on data protection, please contact Alex Craig using [email protected] or 0191 211 7911.