The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed a significant fine of EUR 20 million on Clearview AI Inc., a US-based company specializing in facial recognition technology. This decision, finalized on February 10, 2022, marks a decisive move in upholding data privacy regulations within Italy and the European Union. The case, while national in origin, applies Article 3(2) of the GDPR, highlighting the regulation’s reach beyond geographical borders when processing the data of EU residents.
The core of the Italian SA’s decision revolves around Clearview AI’s processing of personal data, including sensitive biometric and geolocation information, without a valid legal basis under GDPR. The investigation was initiated following press reports and complaints filed in 2021 by privacy advocacy organizations, raising concerns about Clearview AI’s facial recognition products.
The Italian authority’s inquiry revealed substantial breaches of GDPR principles by Clearview AI. The company’s reliance on “legitimate interest” as a legal basis for processing personal data was deemed insufficient. Furthermore, Clearview AI was found to have violated fundamental GDPR principles related to transparency, purpose limitation, and storage limitation. The company also failed to adequately provide information to data subjects as mandated by Articles 13 and 14, neglected to respond to Article 15 access requests within the stipulated timeframe, and did not designate a representative within the European Union, a requirement for companies operating within the EU’s jurisdiction but based outside.
In response to these infringements, the Italian SA issued a comprehensive decision, encompassing not only the substantial EUR 20 million fine but also several injunctive measures aimed at protecting the data of individuals within Italy. These measures include:
Key Directives from the Italian Data Protection Authority
Ban on Further Data Collection and Processing
The Italian SA has explicitly prohibited Clearview AI from any further collection of images and associated metadata of individuals located within Italy. This ban extends to the use of web scraping techniques to gather data. Moreover, the company is barred from further processing any existing standard and biometric data related to individuals in Italy through its facial recognition system. This directive is crucial in preventing future violations and safeguarding the privacy of Italian residents.
Data Erasure Mandate
Perhaps the most impactful aspect of the decision is the order for Clearview AI to erase all data, including biometric data, pertaining to individuals within the Italian territory. This data, processed through Clearview AI’s facial recognition system, must be permanently deleted. However, the decision acknowledges the company’s obligation to address data subject rights requests under Articles 15 to 22 of the GDPR. Clearview AI must remain responsive to access, rectification, erasure, and restriction requests made by individuals, as per Article 12(3) of the GDPR. This ensures individuals can still exercise their rights regarding data processed before the ban and erasure order.
Designation of EU Representative
To ensure accountability and facilitate regulatory oversight, the Italian SA has mandated Clearview AI to designate a representative within the territory of the European Union. This requirement, stemming from Article 27 of the GDPR, is essential for companies operating within the EU but lacking a physical presence. Having an EU-based representative provides a local point of contact for both data protection authorities and individuals, streamlining communication and enforcement of GDPR regulations.
Implications and Further Information
This decision by the Italian Data Protection Authority underscores the stringent enforcement of GDPR within the European Union and its member states. It sends a clear message to companies operating globally that processing the personal data of EU residents requires full compliance with GDPR, regardless of the company’s location. The hefty EUR 20 million fine and the comprehensive corrective measures imposed on Clearview AI highlight the potential financial and operational consequences of non-compliance.
For more detailed information regarding this decision, the original document, “Ordinanza ingiunzione nei confronti di Clearview AI – 10 febbraio 2022 (IT),” is available on the website of the Italian Data Protection Authority. This document provides a comprehensive legal and factual basis for the decision.
Ordinanza ingiunzione nei confronti di Clearview AI – 10 febbraio 2022 (IT)
Disclaimer: This summary is for informational purposes only and does not constitute official EDPB communication or endorsement. For any inquiries, please contact the Italian supervisory authority directly.
