Clearview AI has been hit with its largest fine yet under Europe’s General Data Protection Regulation (GDPR) by a Dutch regulator. The Dutch Data Protection Authority, or Dutch DPA, announced a fine of 30.5 million euros, or about $33.7 million.
The Dutch DPA accused Clearview of creating an illegal database with “unique biometric codes” linked to the photos it collected. It also allegedly failed to give people whose faces were in the database sufficient information about how their image and biometric data are used. The company also allegedly continued to violate the law after the Dutch authorities began investigating it, which the Dutch DPA said could lead to an additional fine of up to 5.1 million euros.
Given that Clearview has not changed its behavior after other fines, according to the Dutch DPA, the regulator said in a press release that it “is looking for ways to make sure that Clearview stops the violations.” Dutch DPA chair Aleid Wolfsen said in a statement that company directors could be held personally liable if they knew of the GDPR violations and could have stopped them but chose not to.
The Dutch DPA said Clearview can’t appeal the fine because it hasn’t objected to the decision. But Clearview says it’s not enforceable. In a statement, Clearview’s chief legal officer, Jack Mulcaire, said that the company “does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.” Mulcaire said that the decision is “unlawful, devoid of due process and is unenforceable.”