Clearview AI Fined €60M by EU Data Protection Authorities for Facial Recognition Database GDPR Violations

Between 2021 and 2022, Clearview AI faced coordinated regulatory enforcement actions across multiple European jurisdictions for systematic violations of GDPR privacy protections. The company had built a massive facial recognition database containing over 3 billion images scraped from social media platforms including Facebook, Instagram, Twitter, and YouTube, as well as millions of other websites, without obtaining consent from the individuals depicted. The Italian Data Protection Authority (Garante) was the first to act in October 2021, imposing a €20 million fine and ordering Clearview to delete all data relating to Italian residents. The authority found that Clearview violated Articles 6 and 9 of GDPR by lacking lawful basis for processing biometric data and failing to obtain explicit consent. France's Commission Nationale de l'Informatique et des Libertés (CNIL) followed in October 2021 with an identical €20 million penalty, citing violations of data subject rights and lack of transparency about data processing activities. The UK's Information Commissioner's Office (ICO) issued a £7.5 million fine in May 2022, finding that Clearview processed UK residents' biometric data without consent and failed to prevent unauthorized access to personal data. Greece's Data Protection Authority imposed an additional €20 million fine in 2022. Each regulator emphasized that biometric data deserves special protection under GDPR due to its sensitive nature and permanent identifying characteristics. Clearview AI's defense centered on claims that the images were publicly available and that their service was primarily intended for law enforcement use. The company argued that their activities fell under legitimate interest provisions and that they operated primarily outside EU jurisdiction. However, regulators rejected these arguments, emphasizing that public availability does not constitute consent for biometric processing and that GDPR applies to any processing of EU residents' data regardless of company location. The enforcement actions revealed significant challenges in cross-border digital privacy regulation. Despite the fines and deletion orders, Clearview AI initially refused to comply, arguing that European authorities lacked jurisdiction over the US-based company. The company's limited EU presence and assets made enforcement difficult, highlighting gaps in international privacy law coordination and the challenges of regulating global technology platforms that operate across jurisdictional boundaries.