On July 13th, 2022, the Greek Data Protection Authority (DPA) released its decision about the claims brought by the NGO Homo Digitalis on the processing of individuals’ biometric data by Clearview. This lawsuit follows many similar cases filed by Noyb, Privacy International, and the Hermès Center for transparency and Digital Human Rights before the French, British, Italian and Austrian DPAs to stop the American start-up collecting biometric data belonging to European citizens. Up to now, Clearview AI has been fined by the ‘Garante della Privacy’ (the Italian DPA) and the ICO (Information Commissioner’s Office – the British DPA). A decision by the Austrian DPA is yet to be released. In addition to this, the Swedish DPA and the Hamburg Commissioner for data protection have also adopted strong stances towards Clearview with regard to other contexts.
The Greek DPA’s decision is therefore part of a broader context of mistrust towards Clearview’s practices in Europe concerning European citizens. In particular, one area of concern for the Greek DPA is the behavioural monitoring conducted by Clearview. On this specific topic the DPA claimed in its decision that “Biometric processing techniques used by the defendant to enable a person to be targeted ultimately lead to profiling as a result of a search by a user of the defendant’s tool. This search is renewed over time, as the database is constantly updated, which makes it possible to establish the possible evolution of information relating to a particular person, in particular if the results of successive searches are compared with each other”.
Interestingly, the Greek DPA is essentially basing its ruling on the violation of Article 6 of the GDPR – which concerns the lawfulness of personal data processing in general – and not on Article 9, which specifically deals with the lawfulness of the processing of special categories of personal data, including biometric data. In this respect the Greek DPA stated: “bearing in mind that the processing of special categories of data is in principle prohibited and permitted only if one of the legal bases referred to in Article 6 and one of the exceptions set out in Article 9(2) GDPR cumulatively apply and that none of the legal bases of Article 6 GDPR exist in relation to the processing of critical data, it appears that the processing of biometric data carried out by the defendant does not meet the legal requirements laid down by the GDPR”.
The Greek DPA also holds Clearview responsible for collecting and processing Greek citizens’ data without their consent and without even informing them. It has also fined Clearview AI for not appointing any representative as provided for in Article 27 of the GDPR. The DPA has also asked Clearview AI to erase the Greek citizens’ data it has collected and processed unlawfully.
In order to determine the quantity of the fine the Greek DPA has taken into account “the nature, gravity and duration of the infringement, which is not an isolated incident, but is systematic and concerns the basic principles of the lawfulness of the processing (art. 5, 6, 9 GDPR), which are fundamental to the protection of personal data, in accordance with the GDPR.” and the fact that Clearview AI collects and processes biometric data, which are particularly sensitive kinds of data.
For all these reasons the Greek DPA has finally followed in the footsteps of the Italian DPA by fining Clearview AI 20 million euros.
With the Italian DPA fining Clearview 20 million euros and the British ICO fining the company 7.5 million pounds, European data protection authorities are increasingly punishing Clearview for collecting and processing European citizens’ biometric data without a proper legal basis.