{"id":135,"date":"2024-09-04T18:04:03","date_gmt":"2024-09-04T18:04:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=135"},"modified":"2024-09-04T18:04:03","modified_gmt":"2024-09-04T18:04:03","slug":"dutch-regulator-fines-clearview-e30-million-or-more","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=135","title":{"rendered":"Dutch regulator fines Clearview \u20ac30 million\u2026 or more"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, is the latest European regulator to crack down on American face-recognition firm Clearview AI, levying a \u20ac30.5 million (US$33.8 million) fine that is likely to grow to \u20ac35.5 million due to additional penalties for non-compliance.<\/p>\n

Of potentially greater concern to US businesses considering violating the privacy of Dutch citizens is that the authority also said it was considering going after Clearview\u2019s board of directors \u201cpersonally.\u201d<\/p>\n

Clearview has run afoul of many regulators in Europe, with the Dutch action following investigations finding violations of the General Data Protection Regulation (GDPR)<\/a> in France, Italy, Greece, Germany, Britain and Austria.\u00a0<\/p>\n

The Office of the Australian Information Commissioner (OAIC) in August opted to not fine Clearview<\/a>, but its statements stressed that it believed that Clearview had violated Australian privacy rules. It said it chose not to pursue the company given the large number of other privacy investigations against it.\u00a0<\/p>\n

The Dutch authority issued a sternly worded statement on Tuesday aimed as much at other companies trying to leverage global data as at Clearview.<\/p>\n

\u201cFacial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,\u201d said the authority\u2019s chairman Aleid Wolfsen in a statement<\/a>. \u201cIf there is a photo of you on the Internet \u2014 and doesn\u2019t that apply to all of us? \u2014 then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China.\u201d<\/p>\n

Wolfsen also addressed Clearview\u2019s services to law enforcement. \u201cClearview says that it provides services to intelligence and investigative services outside the European Union (EU) only. That is bad enough as it is.\u00a0This really shouldn\u2019t go any further. We have to draw a very clear line at incorrect use of this sort of technology,\u201d he said.<\/p>\n

He sees a major difference between law enforcement collecting such data as opposed to a private company doing the collection. He said such collection should \u201ccertainly not (be done) by a commercial business. And by competent authorities in highly exceptional cases only. The police, for example, have to manage the software and database themselves in that case, subject to strict conditions and under the watchful eye of the Dutch DPA and other supervisory authorities.\u201d<\/p>\n

Pursuing customers\u2026 and directors<\/h2>\n

The Dutch regulator also said that it would pursue actions against the company\u2019s customers. \u201cClearview breaks the law, and this makes using the services of Clearview illegal. Dutch organizations that use Clearview may therefore expect hefty fines from the Dutch DPA.\u201d<\/p>\n

Frustrated by an apparent lack of cooperation from Clearview, Wolfsen said that the regulator is prepared to pursue legal actions against members of the company\u2019s board of directors.<\/p>\n

\u201cClearview is an American company without an establishment in Europe. Other data protection authorities have already fined Clearview at various earlier occasions, but the company does not seem to adapt its conduct. That is why the Dutch DPA is looking for ways to make sure that Clearview stops the violations. Among other things, by investigating if the directors of the company can be held personally responsible for the violations,\u201d Wolfsen said. \u201cSuch (a) company cannot continue to violate the rights of Europeans and get away with it. Certainly not in this serious manner and on this massive scale. We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations. That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.\u201d<\/p>\n

The regulator added that Clearview responded in a letter but did not explicitly dispute the findings. \u201cClearview has not objected to this decision and is therefore unable to appeal against the fine,\u201d he said.<\/p>\n

Images of children<\/h2>\n

Another factor at issue in the case is Clearview\u2019s use of grabbing and leveraging images of children, the Dutch regulator said in the official document detailing the charges<\/a>.<\/p>\n

\u201cFrom information on the Clearview website, it follows that they also offer the application of facial recognition software for identifying children. On their website, Clearview for instance states: \u2018a federal agency\u2019s child exploitation unit tripled the number of victims identified with Clearview AI.\u2019\u201d<\/p>\n

\u201cAccording to Clearview, the database contains 30 billion images and by now this number has in all likelihood grown. No measures have been taken to filter and bar images of Dutch data subjects nor their behavior in the Netherlands from the database,\u201d the document said. \u201cOn the contrary, from the previous marginal number, it follows that Clearview\u2019s crawler scrapes Dutch websites as well.\u201d<\/p>\n

Tim Peters, an officer of compliance firm Enghouse Systems in Canada, stressed that the large number of regulatory actions is what should grab the attention of enterprise CISOs.\u00a0<\/p>\n

Despite the belief that European authorities have little ability to enforce their fines and related penalties against overseas companies, Peters argues that a cumulative effect can make a difference.<\/p>\n

\u201cWhile many might assume this American company will simply ignore the fine, the real risk lies not in this specific penalty but in triggering a wave of regulatory scrutiny. When one regulator takes decisive action on sensitive issues like facial recognition and biometric data, it can often lead to a chain reaction across other jurisdictions,\u201d Peters told CSO Online. \u201cRegulators tend to collaborate and the GDPR framework in Europe is closely watched by other regions, meaning this company could face additional fines globally.\u201d<\/p>\n

\u201cPeople should be considering the snowball effect here. If this company chooses to disregard the fine, other regulators could take note and follow suit with their own actions. Australia, for example, initially chose not to fine the company, but seeing the Dutch regulator\u2019s stance might lead them to revisit that decision,\u201d Peters said. \u201cThis could create a pile-on effect, where multiple countries impose penalties, leading to a significant reputational and financial hit.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, is the latest European regulator to crack down on American face-recognition firm Clearview AI, levying a \u20ac30.5 million (US$33.8 million) fine that is likely to grow to \u20ac35.5 million due to additional penalties for non-compliance. Of potentially greater concern to US businesses considering violating the privacy of Dutch […]<\/p>\n","protected":false},"author":0,"featured_media":136,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/135"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=135"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/135\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/136"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}