Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Greece: HDPA fines Clearview AI €20M for lawfulness and transparency violations

The Hellenic Data Protection Authority ('HDPA') published, on 14 July 2022, its decision No. 35/2022, as issued on 13 July 2022, in which it imposed a fine of €20 million on Clearview AI, Inc., for violations of Articles 5(1)(a), 6, 9, 12, 14, 15, and 27 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by Homo Digitalis on behalf of the data subject.

Background to the decision

In particular, the HDPA stated that the complainant who had submitted their complaint at the same time as four other complaints before the supervisory authorities of Austria, France, Italy, and the UK, claimed that Clearview AI violated their access right under Article 15 of the GDPR. Additionally, the HDPA reminded Clearview AI of the provisions under Article 3(2) and 27 of the GDPR related to the territorial scope of the GDPR and the controller's obligation to appoint a representative where the same is not established in the EU, which Clearview AI contradicted, noting, among other things, that it does not provide products or services to data subjects within the EU, nor monitor their behaviour, and that it only provides its services to law enforcement agencies outside the EU.

Findings of the HDPA

Following its assessment, the HDPA found that Clearview AI violated:

  • its obligation under Article 27 of the GDPR because it failed to appoint a representative in the EU, having established that Clearview AI falls within the scope of the GDPR, in accordance with Article 3(2)(b) of the GDPR;
  • the principle of lawfulness under Article 5(1)(a), 6, and 9 because the processing carried out is not based on any legal basis provided for in Article 6 of the GDPR, and no exceptions under Article 9 of the GDPR regarding special categories of data apply;
  • the principle of transparency under Article 5(1)(a) of the GDPR as required by the respective information obligation under Article 14 of the GDPR, because Clearview AI failed to adequately inform the data subjects of the collection and use of their personal data; and
  • the complainant's right of access under Articles 12 and 15 of the GDPR.

Furthermore, to reach this decision, the HDPA considered aggravating factors, including the systematic nature of the violation of the principle of lawfulness, the fact that the processing concerned special categories of data, i.e. biometric data, and Clearview AI's lack of cooperation with the HDPA.

Outcomes

As a result, the HDPA:

  • fined Clearview AI €20 million;
  • ordered Clearview AI to comply with its obligation relating to the exercise of the complainant's access right;
  • imposed the prohibition of collection and processing of personal data of subjects located in Greece; and
  • ordered the deletion of the personal data of data subjects based in Greece.

You can read the press release here and the decision here, both only available in Greek.

UPDATE (22 July 2022)

EDPB publishes summary of HDPA's decision to fine Clearview AI

The European Data Protection Board ('EDPB') published, on 20 July 2022, a summary of the HDPA's decision to fine Clearview AI.

You can read the summary here.