Italian DPA fines Clearview AI for illegally monitoring and processing biometric data of Italian citizens

On 9 March 2022, the Italian Data Protection Authority fined the US-based facial recognition company Clearview AI EUR 20 million after finding that the company monitored and processed biometric data of individuals on Italian territory without a legal basis. The fine is the highest expected according to the General Data Protection Regulation, and it was motivated by a complaint sent by the Hermes Centre in May 2021 in a joint action with EDRi members Privacy International, noyb, and Homo Digitalis—in addition to complaints sent by some individuals and to a series of investigations launched in the wake of the 2020 revelations of Clearview AI business practices.

By Hermes Center & Reclaim Your Face (guest author) · March 23, 2022

On 9 March 2022, the Italian Data Protection Authority (DPA) fined the US-based company Clearview AI EUR 20 million after finding that the company monitored and processed biometric data of individuals on Italian territory without a legal basis.

The company reportedly owns a database including over 10 billion facial images which are scraped from public web sources such as websites, social media, online videos. It offers a sophisticated search service that creates profiles on the basis of the biometric data extracted from the image.

The fine is the highest expected according to the General Data Protection Regulation (GDPR), and it was motivated by a complaint sent by the Hermes Centre in May 2021 in a joint action with EDRi members Privacy International, noyb, and Homo Digitalis—in addition to complaints sent by some individuals and to a series of investigations launched in the wake of the 2020 revelations of Clearview AI business practices.

In addition to the fine, the Italian DPA ordered the company to delete personal and biometric data relating to individuals from Italy, to stop any further processing of data belonging to Italian people, and to designate a representative in the EU. Pictures were analysed by the facial recognition algorithm created by Clearview AI to build up a gigantic database of biometric data and access to the same database was sold to law enforcement agencies. The company also extracts any associated metadata from the image: title of the image or webpage, geolocation, date of birth, source link, nationality, gender.

According to the Italian DPA, biometric and personal data were processed unlawfully without an appropriate legal basis, the company failed to adequately inform people of how their images were collected and analysed, and processed people’s data for purposes other than those for which they had been made available online. In fact, a line of argument of Clearview AI was to equate themself to Google Search for faces. However, the DPA stated that, by selling access to a database and a proprietary face matching algorithm intended for certain categories of customers, “Clearview has specific characteristics that differentiate it from a common search engine that does not process or enrich images on the web […] creates a database of image snapshots that are stored as present at the time of collection and not updated.”

In addition, the DPA highlights that “the company’s legitimate interest in free economic initiative cannot but be subordinate to the rights and freedoms of the persons concerned.”

At the moment Clearview has 30 days to communicate to the Italian DPA what measures they are adopting and up to 60 days to either pay the fine or appeal to a court.

This decision is an other step in the right direction to ban all sorts of biometric surveillance practices that, as higlighted by EDRi-led campaign Reclaim Your Face, have a huge impact on fundamental human rights.

(Contribution by: Laura Carrer, Research and Advocacy at Digital Rights Unit, Hermes Center & Riccardo Coluccini, Reclaim Your Face national campaign contributor)