AD Article
GDPR and AI: A Case Study of Extraterritorial GDPR Application with Clearview AI Decisions
By three decisions issued by the Italian, French, and Dutch data protection authorities, Clearview AI has been sanctioned for numerous violations of the GDPR. Beyond the violations committed by the company, these decisions illustrate the broad extraterritorial scope of the GDPR, which applies to a company that (i) has no establishment in the European Union and (ii) does not offer goods or services in the Union. The authorities deemed that the GDPR applies to the company’s processing because its database contains photographs of European residents collected from publicly accessible sources, allowing for ‘behavioral monitoring’ within the European Union (Article 3.2 (b)). These conclusions could apply to any artificial intelligence system that collects massive amounts of personal data, regardless of the provider's location or target market.