The Italian Data Protection Authority (DPA) gave a very harsh response to the US company Clearview AI inc. which, with order of February 10th 2022, was fined 20 million euros for violating art. 5,6,9,12,13,14,15 and 27 of the EU General Data Protection Regulation.
The proceeding rose from a complex investigation conducted with the assistance of other European authorities and initiated ex officio against Clearview AI Inc. In particular, Clearview is a US company which developed highly qualified biometric search and face detection software, mostly addressed to specific categories of customers such as law enforcements or government authorities.
In brief, the Clearview software collects in an automated way, through web scraping, images publicly accessible on the web (including social network, websites, blogs and videos) and stores them in its own database, where they are archived even if the original images are then removed or turned private.
The images are elaborated in order to extract the identifying characteristics of each of them and, subsequently, transformed into vectorial representations which follow the different unique lines of a human face. Finally, they undergo hashing for database indexing purposes.
Each image is enriched with other metadata, such as the link to the source from which it was extracted, geo-localization, gender, date of birth or nationality of the subject represented in the image. In other terms, Clearview creates biometrical models associated to a sort of face digital fingerprint (image hash) which facilitates the activity of indexing and comparison with the reference samples object of research.
Thus, when a client of Clearview queries the platform uploading an image to search for, the platform compares it the images stored in the database. If the software identifies a correspondence, it will extract the relative images and present them to the client along with all the related metadata and links.
The investigation conducted by the Italian DPA revealed the creation of a database with over 10 billion face images at the disposal of the Clearview’s clients. All this unbeknown to the users, including Italians.
During the proceeding, Clearview defended itself stating, among other things, that the software was performing a mere activity of classification of the images found online, denying to be subjected to the jurisdiction of the Italian DPA. Since it did not have clients nor offices in Italy, it denied to be the data controller because such role could have been attributed only to the clients using the platform, that is law enforcements and public subjects.
The argumentations of the US company were considered to be lacking of foundation by the Italian DPA, who, first of all, recalled how the public disposal of data on the web does not imply, on its own, the legitimacy of their collection and their use by third parties. The publication is, indeed, bound only to the purpose intended by the interested party (for example, the visibility on a particular social network).
In addition, “the possible public nature of the images is not sufficient to think that the interested parties could reasonably expect a use for face detection purposes, moreover by a private platform, not established in the European Union and existence and activity of which most of the interested parties is unaware”.
In the opinion of the Italian DPA, the activity of web scraping carried out by Clearview integrates an operation of personal data collection on which are performed further processing operations, such as the interconnection of images’ data, common and biometrical, with the collected metadata, stored and associated to face images. This activity makes Clearview the controller of the data. As a consequence, it should have conformed rigorously to what provided by the EU Regulation on personal data.
On this regard, the Italian DPA verified the unlawfulness of the processing acted by Clearview and the infringement of multiple provisions of the Regulation. In particular, the conducts of Clearview were found to be contrary to the principles of lawfulness, fairness and transparency in the data processing, since the interested parties did not have any contact with the company, have not been informed about the activity carried out by the same, nor have they been the recipients of any information or request of consent.
Lastly, there is proof of a number of complaints and requests of information sent by the interested parties, including Italians, to which however Clearview had not given an exhaustive response. Even this conduct was found to be unlawful because it led to the substantial impossibility for the interested parties to know the information concerning them or to obtain its cancellation.
And it was also this circumstance to give foundation to the jurisdiction of the Italian DPA: the DPA could affirm its competence to judge and fine the conduct of Clearview precisely because the collection of data of subjects who are in the European Union and, in particular, in Italy, has been demonstrated.
Ilaria Feriti