The Dutch Data Protection Authority (Dutch DPA) has imposed a fine of €30.5 million ($33.7 million) against facial recognition firm Clearview AI for violating the General Data Protection Regulation (GDPR) in the European Union (E.U.) by building an “illegal database with billions of photos of faces,” including those of Dutch citizens.
“Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,” Dutch DPA chairman Aleid Wolfsen said in a press statement.
“If there is a photo of you on the Internet – and doesn’t that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China.”
Clearview AI has been in regulatory hot water across several countries, such as the U.K., Australia, France, and Italy, over its practice of scraping publicly available information on the internet to build a vast database comprising more than 50 billion photos of people’s faces.
The individuals identified from these images are assigned a unique biometric code, which is then packaged as part of intelligence and investigative services offered to its law enforcement clients to “rapidly identify suspects, persons of interest, and victims to help solve and prevent crimes.”
The Dutch DPA, in addition to accusing Clearview of collecting users’ facial data without their consent or knowledge, said the company “insufficiently” informs the people who are in its database about how their data is used and that it doesn’t offer a mechanism to access their data upon request.
Currently, Clearview only offers residents of six U.S. states – California, Colorado, Connecticut, Oregon, Utah, and Virginia – the ability to access, delete, and opt out of profiling.
It also alleged that the New York-based firm did not stop the violations even after the investigation, ordering it to cease them with immediate effect or risk facing an additional fine of €5.1 million ($5.6 million). Furthermore, the ruling bans Dutch companies from using Clearview’s services.
“We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations,” Wolfsen said.
“That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.”
In a statement shared with the Associated Press, Clearview said it doesn’t fall under EU data protection regulations as it does not have a place of business in the Netherlands or the E.U. It also described the decision as “unlawful.”
Back in June, the company further settled a lawsuit filed in the U.S. state of Illinois over facial recognition privacy violations by granting plaintiffs a 23% stake in its future value, as opposed to a traditional payout. It, however, did not admit to any wrongdoing.