Extraterritorial enforcement of the GDPR in light of Clearview AI’s recent fine
Clearview AI
Clearview AI (hereinafter: Clearview), a facial recognition company based in New York, has developed a tool that recognises individuals by uploading a facial image and matching it with the 50 billion images stored within their database. It entered the spotlight in 2020, when the New York Times published an article that uncovered that Clearview had collected billions of images of individuals by indiscriminately scraping images from the Internet without their knowledge or consent. “Data scraping” is the automatic extraction of large amounts of data by the use of web scraping software. Clearview has collected data from millions of domain names by using an open-web crawling algorithm which collects data in an untargeted and systemic way. Clearview's data scrapers target not only individuals residing in the United States but anyone around the world whose pictures are available online. Clearview’s goal is to identify every single person on the planet using its facial recognition tool1.
(Extra)territorial Scope of the GDPR
Compared to its predecessor, the DPD, the territorial scope of the GDPR was significantly expanded. The GDPR’s territorial scope potentially extends to a wide range of online processing activities that take place outside the EU. A controller without an establishment within the EU could still be subject to the GDPR’s territorial scope if they monitor the behaviour of individuals residing within the EU.
In Clearview’s case, the AP determined that Clearview processes personal data of Dutch individuals, as images of Dutch citizens were found in Clearview’s database. The AP also referenced earlier decisions by other EU DPAs, which confirmed that Clearview’s database contained images of German, Italian and French citizens. Additionally, Clearview’s processing activities are deemed to involve the monitoring of the behaviour of Dutch citizens. The images that are collected also include the underlying metadata, such as webpage title, source link, geographical location, age, education, gender, date of birth, nationality, language and other data2. The collection and storage of facial images can be a great source of information about a person’s private life, especially when this occurs for an extended period of time. When images and their underlying metadata are collected continuously, the constant influx of information with regard to geographical location could reveal a person’s home address, work address, where they are located throughout the day, and other personal information concerning the individual. Considering the amount of pictures that Clearview collected and the continuous updates to the database with new (meta)data, it enables the monitoring of individuals’ behaviour over time.
As a result, Clearview’s processing activities are subject to the territorial scope of the GDPR. Nonetheless, based on prior enforcement actions taken by EU DPAs, it seems that enforcing the GDPR extraterritorially may be challenging in practice.
Extraterritorial Enforcement Issues
The EU is obligated to guarantee the protection of personal data rights, as it is a fundamental right within the EU, and this protection may even extend beyond the EU’s borders. The difficulty of enforcing the GDPR, when it comes to cross-border processing, lies in the very nature of the Internet. The Internet is a global interconnected network that is not restricted by geographical borders. Data scrapers are not hindered by technological or geographical barriers when accessing personal data of EU residents on the Internet. On the other hand, the extraterritorial reach of the GDPR is delimited by state sovereignty. In practice, this complicates the extraterritorial enforcement of the GDPR when controllers do not have an establishment within the EU, as EU DPAs lack jurisdiction to enforce the GDPR outside EU borders.
Prior to the AP’s fine, several DPAs in the EU, including in Austria, France, Germany, Italy and Greece have established that the activities of Clearview are violating the GDPR. Clearview insists that the GDPR does not apply to them because it does not provide its services in the EU. The company has been uncooperative with enforcement actions from EU DPAs.
Next Steps
Given Clearview’s non-compliance with previous fines imposed by other EU DPAs, the AP is exploring alternative methods to ensure that Clearview ceases its violations. This includes investigating whether the company's directors can be held personally responsible for the breaches. With the recent arrest of Telegram's founder in France, it is worth considering whether sanctioning the management of Clearview could be a more effective approach to enforcing GDPR compliance. However, it remains to be seen whether this approach will prove succesful.
If your business employs similar (facial recognition) technologies or services and requires guidance on GDPR compliance, do not hesitate to get in touch with Privacy Company.
[1] Drew Harwell, ‘Facial recognition firm Clearview tells investors it’s seeking massive expansion beyond law enforcement’ (WashingtonPost 16 February 2022) <www.washingtonpost.com/technology/2022/02/16/clearview-expansion-facial-recognition/> accessed 15 August 2023.
[2] Garante per la protezione dei dati personali, Decision 9751362, Ordinanza ingiunzione nei confronti di Clearview AI, 10 febbraio 2022.
