
Article IT and Data Protection | 10/10/24 | 5 min. | Florence Chafiol Robin Nini
By three decisions issued by the Italian, French, and Dutch data protection authorities, Clearview AI has been sanctioned for numerous violations of the GDPR.
Beyond the violations committed by the company, these decisions illustrate the broad extraterritorial scope of the GDPR, which applies to a company that (i) has no establishment in the European Union and (ii) does not offer goods or services in the Union.
The authorities deemed that the GDPR applies to the company’s processing because its database contains photographs of European residents collected from publicly accessible sources, allowing for ‘behavioral monitoring’ within the European Union (Article 3.2 (b)).
These conclusions could apply to any artificial intelligence system that collects massive amounts of personal data, regardless of the provider's location or target market.
Summary of the facts
Clearview AI is a company that offers a search engine for images of individuals.
Its technology relies on the regular large-scale extraction ("scraping") of images of individuals from publicly accessible sources on the internet, including social media and search engines.
Once these images are collected, Clearview generates a unique biometric template for each person, allowing its clients to match the image submitted to the search engine ("probe image") with those in the system's database.
This enables users of the solution, primarily law enforcement agencies, to accurately identify individuals.
Clearview AI also collects metadata from photographs, such as location and information added by the person.
This additional information helps to create an even more detailed profile of the person.
Clearview AI has thus created a database containing over 30 billion photographs, including those of people located in the European Union.
Systematic Photo Collection Enables 'Behavioral Tracking' Regardless of Processing Purpose.
By regularly collecting photographs of the same individual to feed and update its database, Clearview AI performs a "behavioral tracking" of individuals located in the European Union within the meaning of Article 3.2 (b) of the GDPR.
Based on these photographs, it is indeed possible to infer physical changes of a specific person, personal information such as their marital status, or the activities they engage in.
The decisions are particularly noteworthy in that the data protection authorities rejected Clearview AI's argument that behavioral tracking was not the purpose of the processing.
It follows that the mere collection of data enabling behavioral tracking makes the GDPR applicable to the processing in question, regardless of the actual purpose pursued by this processing.
Implications for Providers of Artificial Intelligence Systems
These decisions show that all providers of AI systems that operate through the large-scale and indiscriminate collection of data may be subject to the GDPR, even when the provider does not intend to target the European market.
The conclusions are applicable to various AI systems such as:
- Image search engines like Clearview AI,
- Predictive AI trained on personal data,
- Generative AI trained on public images/videos to mimic and imitate human behaviors.
Recommendations for AI System Developers
AI providers should therefore assess the applicability of the GDPR from the design stage by determining the data used for training and operating the system.
To mitigate GDPR risks, it is advisable to implement filters to prevent the collection of personal data from individuals located in the European Union, as recommended by the Dutch authority.
Additionally, it is recommended to include contractual clauses with deploying clients to ensure they do not use the solution to process data from individuals located in the European Union, unless this data remains within the deployer's information system and is not reintegrated into the system’s database for training and improvement.