Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Clearview AI €20M and bans use of biometric data and monitoring of data subjects in Italy

The Italian data protection authority ('Garante') published, on 9 March 2022, its decision in Case No. 50, as issued on 10 February 2022, in which it imposed a fine of 20 million to Clearview AI, Inc., for violations of Articles 5(1)(a), 5(1)(b), 5(1)(e), 6, 9, 12, 13, 14, 15, and 27 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation launched by the Garante further to media reports, as well as various complaints submitted by individuals and privacy advocacy organisations.

Background to the case

In particular, the Garante noted that Clearview AI, a company headquartered in the US, reportedly owns a database including over 10 billion facial images from individuals all over the world, which are extracted from public web sources via web scraping. In addition, the Garante pointed out that Clearview AI offers a sophisticated search service which allows, through AI systems, the creation of profiles, on the basis of the biometric data extracted from the images and associated metadata.

Additionally, the Garante outlined that the complaints received concerned various profiles of unlawfulness of the data processing carried out by Clearview AI, including its failure to respond to requests of access to data pursuant to Article 15 of the GDPR, and the lack of consent to the processing. Notably, the Garante reported that some of the complainants who had contacted Clearview AI had received in response a special report which confirmed that Clearview AI did include the complainants' pictures in its database.

Findings of the Garante

Further to the above, the Garante examined the applicability of the GDPR to the processing carried out by Clearview AI, in response to the reiterated statements of Clearview AI according to which the same was not subject to the GDPR. Specifically, the Garante concluded that, as Clerview AI had admitted, the same had indeed offered its services in the EU and that, in any case, contrary to what Clearview AI had alleged, the database created did not appear to be a mere classification of individuals on the basis of known characteristics, such as age, sex, and height, but instead a further activity was carried out, consisting in the extraction of biometric data from the images collected on the web and in using them for comparative purposes. In light of this, the Garante highlighted that such activities were comparable to the monitoring of the behaviours of data subjects carried out by means of internet tracing and subsequent profiling. Therefore, the Garante determined that the GDPR applied to the processing in question by virtue of Article 3(2) of the GDPR.

Consequently, based on the elements acquired in the courts of the investigation, the Garante determined that the personal data held by Clearview AI, including biometric and geolocation information, was processed in violation of:

  • Articles 5(1)(a), 5(1)(b), and 5(1)(e) of the GDPR, as Clearview AI had, respectively, failed to adequately inform data subjects, processed data subjects' data for purposes other than those for which it had been made available online, and had not set out any data storage period;
  • Article 6 of the GDPR, as the Garante considered that the only legal basis that could possibly justify the processing in question was the legitimate interest of Clearview AI; however, the Garante considered that such interest was merely economic and thus did not outweigh the rights and freedoms of the data subjects, especially on the grounds that the processing was particularly intrusive of data subjects' private spheres;  
  • Article 9 of the GDPR, as the processing of biometric data carried out by Clearview AI did not meet any of the exceptions to the general prohibition of the processing of sensitive data set out therein;
  • Article 12 of the GDPR, on account of the inadequacy of the responses received by the complainants, the unjustified delay in providing the same, and the excessive requests of Clearview AI for verifying the identities of the complainants;
  • Articles 13 and 14 of the GDPR, since the privacy policy on the website of Clearview AI appeared to lack essential elements, such as a specific indication of the legitimate interest pursued by the data controller or a specification of the time limit for data retention;
  • Article 15 of the GDPR, as the complainant had not received a precise and transparent communication with reference to the categories of information listed therein; and
  • Article 27 of the GDPR, on the basis that Clearview AI had failed to nominate a representative in the EU.

Given the nature of the violations occurred, the Garante imposed an administrative sanction and, in quantifying the same, took into account, among others:

  • that the violations were systematic and had continued even after the service was no longer offered by Clerview AI to customers established in the EU;
  • the likely extremely high number of data subjects involved; while the figure was not precisely quantifiable, the Garante considered reasonable to assume that the unlawful processing potentially involved all natural persons who are in Italy and are present on the internet; and
  • the high degree of responsibility of Clearview AI, which continued its processing despite the interventions of several data protection authorities.

Outcomes

In conclusion, the Garante imposed a fine of €20 million and ordered Clearview AI:

  • to erase the data relating to individuals in Italy;
  • to cease any further collection and processing of personal data through its facial recognition system; and
  • to designate, within 30 days, a representative in the EU.

Lastly, the Garante required Clarview AI to communicate, within 30 days, the measures implemented to comply with the decision and highlighted that Clearview AI may lodge an appeal before the ordinary judicial authority within 60 days.

You can read the decision here, only available in Italian, and the press release here.

UPDATE (11 March 2022)

EDPB publishes English summary of Garante's decision to fine Clearview AI €20M

The EDPB published, on 10 March 2022, an English summary of the Garante's decision to fine Clearview AI €20 million and to ban use of biometric data and monitoring of data subjects in Italy.

You can read the summary here.