Full Report
Noyb says New York-based facial recognition biz flouted GDPR orders and kept scraping anyway Privacy advocates at Noyb filed a criminal complaint against Clearview AI for scraping social media users' faces without consent to train its AI algorithms.…
Analysis Summary
# Regulation/Compliance: GDPR Enforcement Against Non-Compliant Data Processing
## Overview
This summary focuses on the implications of Clearview AI allegedly ignoring General Data Protection Regulation (GDPR) orders (including fines and bans) by continuing to scrape social media users' faces without consent to train its AI. The key regulatory interest here is the enforcement mechanism available under the GDPR, specifically the pursuit of criminal penalties in member states.
## Key Details
- Issuing Authority: Various EU Data Protection Authorities (DPAs) (e.g., France, Greece, Italy, Netherlands, UK, Austria) and ultimately, EU Member State Public Prosecutors.
- Effective Date: The GDPR became effective on May 25, 2018. The specific criminal action cited hinges on national implementations of GDPR, such as Article 84.
- Jurisdiction: European Union (EU) Member States and the European Economic Area (EEA).
- Status: GDPR is In Effect. The criminal complaint detailed in the article is **Active**.
## Requirements
### Mandatory Requirements (Based on GDPR violations cited)
1. **Lawful Basis for Processing:** Organizations must establish a lawful basis (e.g., explicit consent) before processing personal data, especially for sensitive purposes like biometric data processing via facial recognition algorithms.
2. **Compliance with DPAs' Orders:** Organizations must immediately comply with the binding decisions, including bans on processing activities, issued by competent Data Protection Authorities.
3. **Adherence to Fines and Penalties:** Any financial penalties levied by DPAs must be paid unless successfully appealed through appropriate legal channels.
### Recommended Practices
1. **Proactive Dispute Resolution:** Engage constructively with DPAs regarding processing methods rather than ignoring enforcement actions.
2. **Jurisdictional Mapping:** If operating across multiple EU states, ensure compliance teams track and adhere to specific national guidelines and implementation texts (e.g., Austria's criminal provisions).
## Affected Organizations
- **Industries:** Any organization processing the personal data of EU residents, especially those involved in large-scale biometric data collection, AI training, and cross-border data transfers (e.g., Tech companies, AI developers).
- **Organization Size:** Applies regardless of size, though penalties can be more impactful for smaller entities.
- **Geographic Scope:** Any entity processing data of individuals located in the EU/EEA.
## Compliance Timeline
Since the GDPR is already in effect, there are no general future deadlines related to the core regulation. The timeline below reflects the enforcement actions mentioned:
- **Pre-2023:** Multiple DPAs (France, Greece, Italy, Netherlands, UK) levied fines and issued bans against Clearview AI.
- **2023:** Austria ruled Clearview AI's practices illegal.
- **Recent/Current:** Noyb filed a criminal complaint with Austrian public prosecutors, initiating a potential criminal timeline based on Austrian domestic law provisions (e.g., Article 84 implementation).
- **Final deadline:** Full compliance with existing DPA orders (payment of fines, cessation of non-compliant scraping) is immediately required.
## Implementation Guidance
### Assessment Phase
- **Data Mapping:** Conduct a thorough audit of all personal data processing activities, specifically cross-referencing facial recognition training against established lawful bases (consent, legitimate interest assessment).
- **DPA Enforcement Review:** Review all correspondence, fines, and enforcement notices received from all relevant EU DPAs to confirm all outstanding orders have been addressed or legally challenged.
### Implementation Phase
- **Cease Unlawful Processing:** Immediately halt the scraping of social media photos for training if determined to lack a valid GDPR legal basis.
- **Remediation of Violations:** Engage legal counsel to structure payment plans for outstanding fines where non-compliance is acknowledged, or begin formal legal challenges if disputes persist.
### Validation Phase
- **Internal Audit:** Conduct regular compliance audits focusing specifically on biometric processing pipelines.
- **External Assurance:** Seek third-party attestations confirming adherence to specific DPA remediation plans.
## Technical Requirements
While the core complaint is legal/procedural, the underlying technical violation relates to data acquisition:
1. **Automated Data Exclusion:** Implement technical mechanisms to prevent the mass automated scraping of publicly available personal data where consent is not established.
2. **Data Minimization:** Ensure that acquired biometric templates used for AI training are strictly limited to what is necessary and proportionate.
## Penalties & Enforcement
- **Fines:** Non-compliance with GDPR can lead to fines up to €20 million or 4% of annual global turnover (whichever is higher). Clearview AI allegedly owes over $100 million in unpaid fines across several jurisdictions.
- **Other Consequences:**
* **Criminal Penalties:** The current action hinges on Article 84 of GDPR, potentially leading to **imprisonment** for executives in the prosecuting member state (Austria).
* **Processing Bans:** DPAs have issued orders banning specific data processing activities.
* **Reputational Damage:** Severe negative publicity resulting from non-compliance and subsequent legal battles.
- **Enforcement:** Enforcement is pursued via DPAs (administrative fines/orders) and, as shown here, through **national public prosecutors** utilizing specific member state provisions for criminal sanctions against willful disregard of data protection laws.
## Related Standards
- **GDPR (General Data Protection Regulation):** The foundational regulatory framework guiding data processing throughout the EU.
- **ISO/IEC 27701:** Privacy Information Management System (PIMS) standard; implementing its controls demonstrates adherence to GDPR principles regarding records of processing and data subject rights.
- **NIST AI Risk Management Framework (RMF):** Provides guidance on managing risks associated with AI systems, which would cover the concerns regarding bias and unlawful data use in training data.
## Resources
- **Official Documentation:** Link to current GDPR text (defanged: ht tps://gdpr-info.eu/)
- **Guidance Documents:** Official guidelines published by the European Data Protection Board (EDPB) on enforcement harmonization.
- **Tools:** Tools supporting data subject access request fulfillment and lawful basis verification for processing.
## Practical Recommendations
1. **Do Not Ignore DPAs:** Treat all enforcement notices and fines from EU DPAs with the highest priority; non-payment or non-compliance escalates the risk profile significantly, potentially triggering criminal proceedings.
2. **Establish Criminal Risk Assessment:** For executives in non-EU companies processing EU data, assess the risk specific member state criminal laws could pose for failures to adhere to injunctions.
3. **Document Legal Challenges:** Maintain meticulous records of all legal actions taken to challenge DPA findings; merely ignoring rulings is the primary catalyst for the severity of the current legal exposure.