Recently, the Italian Data Protection Authority (DPA) imposed a fine of €20 million on US facial recognition company Clearview AI and ordered the deletion of its data.
This is the first action to be taken by a European regulator against a company which uses facial recognition technology.
Let’s explore why the Italian DPA took this action against Clearview AI and its implications for the technology.
Italy fines Clearview AI €20M and orders data deleted
Clearview AI is an American company which uses facial recognition technology to enable law enforcement, government and business organisations to identify members of the public on surveillance images. The technology uses a database of over 3 billion images from websites such as Facebook and YouTube, which Clearview AI collects and then analyses when presented with an image of a person or object.
However, in March 2021, the Italian Data Protection Authority (DPA) launched an investigation into Clearview AI’s use of its facial recognition technology. At the end of the investigation, the Italian DPA determined that Clearview AI had violated Italian data protection laws by collecting personal data without obtaining user consent or providing sufficient information. As a result of this violation, they issued a fine of €20 million against Clearview AI and ordered them to delete all personal data collected in Italy within one month.
What Happened?
Italy’s Data Protection Authority (DPA) recently fined Clearview AI a huge sum of €20M for breaching the EU’s GDPR rules.
The DPA also ordered the company to delete the data of more than 1 million Italians it had collected.
This article will look into the key events that led to the hefty fine and data deletion order.
The Italian DPA’s investigation
The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) launched an investigation into the controversial facial recognition company Clearview AI on July 7, 2020.
The regulator based its investigation on a series of articles published by two US media outlets, which alleged that Clearview AI was unlawfully collecting biometric data from European citizens and using it for surveillance and marketing services.
Upon completion of its investigation, the Italian DPA concluded that Clearview AI had violated multiple aspects of the EU General Data Protection Regulation (GDPR), including lack of legal basis for the data processing, inadequate risk analysis, failure to implement appropriate security measures, lack of effective notification to data subjects and insufficient transparency and accountability.
Consequently, the regulator imposed a fine of €20 million on Clearview AI and ordered it to delete all European personal data within 30 days.
The findings
On May 4, 2021 the Italian Data Protection Authority (Garante per la protezione dei dati personali) ruled to find Clearview AI €20 million and ordered them to delete any data collected from Italians. The decision follows an investigation spurred by complaints that the company was processing biometric facial recognition data of Italians without prior consent or authorization.
The Garante’s ruling stated that Clearview had unlawfully gathered and processed the Italian citizens’ images and other data through its Facial Recognition software. In particular, it found that Clearview had used unmonitored images labelled as “selfies” gathered by scraping websites to identify groups of people under various categories such as gender and ethnic origin, without protecting from disclosure any type of user information. The Garante concluded that such processing activities posed a serious risk for privacy and violated personal data protection laws in several ways.
The Garante thus ordered Clearview to immediately delete all personal data of individuals resident in Italy from its systems, cease further storage and erase any imported such images by their Order to Delete Images process. Additionally, the fine imposed on Clearview requires it to pay €20 million within 30 days or face an additional fine each month until payment is made in full.
The Consequences
The Italian Data Protection Authority (DPA) has just announced its biggest penalty – fining tech startup Clearview AI €20 million for illegally using personal data for facial recognition algorithms.
The DPA also ordered the company to delete all data of its clients in Italy, which further underlines the importance of data protection in the country.
In this article, we’ll go into more detail about the consequences of this fine.
The €20M fine
The Italian Data Protection Authority (DPA) has levied a €20M fine against facial recognition company Clearview AI in response to its failure to comply with the nation’s privacy laws. While data protection laws vary between countries, a violation of the EU’s General Data Protection Regulation (GDPR) occurred.
According to the GDPR, all personal data must be collected and stored responsibly, with explicit consent from those whose data have been gathered. Yet, Clearview AI allegedly allowed customers to access and use biometric data from more than three million users without their consent. Additionally, Clearview AI failed to request citizens’ explicit opt-in for their facial images even after facing warnings from EUdata protection agencies.
The decision to impose a €20M fine reinforces the European Union’s commitment to protecting personal data and consumers’ rights. In addition to the hefty fine, an order has also been issued for Clearview AI data collected in Italy to be deleted completely.
Data deletion orders
The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) has issued a €20 million fine to the facial recognition company Clearview AI and an extensive list of orders designed to protect its citizens’ data. It has also ordered the company to delete all its processed data and images collected from Italy, or suffer further sanctions.
This is part of an on-going investigation into several companies accused of illegally collecting and processing personal information without users’ consent. For example, Clearview AI was found to have built a facial recognition database using over 3 billion photos taken from public sources like social media platforms, websites, and photo upload services. The EU General Data Protection Regulation (GDPR) prohibits this kind of use.
To prevent any further violations, the Garante has ordered Clearview AI to:
- Delete all data from Italian citizens within 20 days;
- Stop indexes on any other EU countries within 8 days;
- Disable access for Web browsers in Italy;
- Monitor global web scraping activity;
- Suspend image capture;
- Deactivate automatic updates; and
- Refrain from selling its services in Europe.
The Garante emphasised that this was an initial response while they reviewed additional evidence. However, they take this matter very seriously. After assessing all available evidence, they will issue final decisions, particularly whether the company has adhered to GDPR requirements in collecting private information from its users’ accounts without their consent.
Implications
The Italian Data Protection Authority (Garante) has recently issued a fine of €20 million and an order to Clearview AI to delete all data collected in Italy.
This move to fine Clearview AI is a major implication for technology companies facing regulatory concerns over data privacy and security. However, this move may be just the beginning regarding government agencies attempting to rein in tech giants and their data collection practices.
Impact on Clearview AI
The Italian Data Protection Authority (DPA) has placed a significant monetary fine of €20 million, and ordered Clearview AI to delete the user data of all individuals across the European Union. This action signals that European lawmakers take the risks associated with data privacy seriously. Furthermore, the order is a reminder to companies who handle data belonging to EU citizens, and sanctions Clearview AI who was found to have committed multiple violations of the GDPR.
The fine and deletion order will significantly impact Clearview AI as they are likely to face similar actions from other countries looking into their activities. Other European authorities have also taken steps to regulate facial recognition tools, with some countries prohibiting or restricting its use entirely. Going forward, Clearview AI may need to adopt tighter privacy measures and adjust their operations around Europe to ensure compliance with different regulations.
The DPA’s decision has also sparked further conversations about facial recognition technology among lawmakers worldwide, including in the U.S., where two Congressional members recently introduced legislation that would restrict how it can be used commercially in America. It remains unclear how such legislation might be implemented. Still, it indicates some level of concern about potential abuses related to facial recognition technology like that that Clearview AI employs for commercial purposes within certain jurisdictions.
Impact on other companies
As an increasing number of governments begin to crack down on facial recognition technology, the implication of Italy’s ruling could have a ripple effect that impacts businesses in other sectors. Companies using biometric data (for example, fingerprints, retinal scans, DNA profiles) could face similar fines and orders shortly.
Moreover, this ruling could cause businesses to reconsider their approach to data protection, as other countries look to Italy’s lead before taking action of their own. Businesses must become aware that lax attitude to customer data privacy can lead to hefty fines and severe consequences—many international companies may need to change their data policies accordingly.
The fine imposed on Clearview AI has set a precedent for other industries and countries focused on the ethical application of facial recognition technology. As a result, it may be time for companies across many sectors – not just tech – to review their current policies regarding customer data protection globally and ensure that they meet or exceed what is required by all applicable regulators.
“
tags = 10 billion of faces to power an identity-matching service, data protection agency, €20 million penalty for breaches of EU law, france clearview gdpr clearview eulomastechcrunch, france ai gdpr clearview eulomastechcrunch, france clearview ai gdpr eulomastechcrunch, france clearview gdpr eulomastechcrunch, france clearview eulomastechcrunch, france clearview ai gdpr clearview eulomastechcrunch, clearview gdpr eulomastechcrunch, clearview gdpr clearview eulomastechcrunch, ai gdpr clearview eulomastechcrunch, gdpr clearview eulomastechcrunch, france clearview ai eulomastechcrunch, france gdpr clearview eulomastechcrunch
“