Background. Clearview AI is a US company that scrapes the internet and adds all of the faces it can find in photos and videos to its database. It claims to have collected more than 60 billion photos. This allows customers of Clearview AI to identify people by uploading a photo and obtaining other pictures of the same person, including links, the name of a subpage of a website and other meta data. The company originally tried to operate largely under the radar but the New York Times revealed its practices in 2020. While Clearview AI primarily promotes its facial recognition software as a tool for law enforcement, it was also used by companies such as Walmart or Bank of America.

Max Schrems: “Facial recognition technology is extremely invasive. It allows for mass surveillance and immediate identification of millions of people. Clearview AI amassed a global database of photos and biometric data, which makes it possible to identify people within seconds. Such power is extremely concerning and undermines the idea of a free society, where surveillance is the exception instead of the rule.”

Clearly illegal and intrusive. EU data protection authorities have already repeatedly held that Clearview AI, which processed the data of millions of Europeans, clearly violated the GDPR. The French, the Greek, the Italian and the Dutch authority imposed fines of roughly 100 million euros on Clearview for its intrusive practices. The Austrian data protection authority considered that Clearview AI has acted illegally. Several bans were issued. These decisions were not challenged by the US company.

Ignoring the law. Instead, Clearview AI is simply ignoring the EU authorities. Only in the UK did the company appeal the decision and fine imposed by the British ICO, with a final court decision yet to be issued. EU data protection authorities did not come up with a way to enforce its fines and bans against the US company, allowing Clearview AI to effectively dodge the law.

Max Schrems: “Clearview AI seems to simply ignore EU fundamental rights and just spits in the face of EU authorities.”

Criminal Complaint. However, EU law is not limited to administrative fines under the GDPR. Article 84 GDPR also allows EU Member States to foresee criminal sanctions for GDPR breaches. Austria has implemented such a criminal provision for certain GDPR violations in § 63 of its national Data Protection Act. In contrast to GDPR violations, criminal violations also allow actions to be taken against managers and to use the full range of criminal procedures, including EU-wide actions. For that reason, noyb now filed a criminal complaint with the public prosecutors in Austria. If successful, Clearview AI and its executives could face jail time and be held personally liable, in particular if traveling to Europe.

Max Schrems: “We even run cross-border criminal procedures for stolen bikes, so we hope that the public prosecutor also takes action when the personal data of billions of people was stolen – as has been confirmed by multiple authorities.”