With two huge fines imposed on Uber (290 million euros) and Clearview (30 million euros), the Dutch Data Protection Authority (AP) showed its teeth this summer. In doing so, the supervisory authority is responding to criticism from the civil rights movement that the AP has had little visibility in recent years.
‘Large international companies could easily get away with privacy violations,’ says Nadia Benaissa, policy advisor at Bits of Freedom. She hopes that the imposed sanctions will have a deterrent effect. Otherwise, the AP will remain a paper tiger that is powerless against large tech companies and falls short in enforcement.
Clearview, which illegally collects data for facial recognition all over the world, is particularly difficult to tackle. This is because the American company has no establishment in the EU. Clearview appears to simply continue scraping portrait photos from the internet on a large scale. The company then converts this material into a unique biometric code for each face. And this is done without consent. The collection and use of this is prohibited. There are some legal exceptions, but Clearview cannot rely on them. Clearview refuses to comply with the GDPR. The company has not objected to the AP decision and therefore cannot appeal the fine.
In several countries, privacy watchdogs have tried to tackle Clearview, but without success. Nadia Benaissa therefore welcomes the fact that the AP is looking into the possibility of holding Clearview CEO Hoan Ton-That and his fellow directors personally liable. This next step will be considered if the fines prove irrecoverable. In France and Greece, the supervisors were unable to persuade Clearview to pay.
Holding directors liable
AP chairman Aleid Wolfsen: ‘We are now going to investigate whether we can hold the management of the company personally liable and fine them for leading these violations. That liability already exists, if directors know that the GDPR is being violated, are authorized to stop it but fail to do so and thus consciously accept those violations.’
The AP is investigating whether, based on criminal law, directors can be personally fined for violations of administrative law. This has not been done before with this type of AVG fine. The problem with collection is that the AP cannot simply send a bailiff to America or collect fines via the central judicial collection agency. Furthermore, it is investigating whether an arrest warrant is possible if the directors concerned enter the EU. If it is not legally possible to hold the directors personally liable and no legal remedy works, the AP will push for additional legislation in the Netherlands and the EU. Nadia Benaissa would think that would be a good move.
Put on black
Technically, there are no possibilities to stop the use of Clearview in the Netherlands. According to a spokesperson for the AP, the servers of the American company cannot be disabled, since they are all located outside the EU. ‘Furthermore, the AP lacks the authority to black out the Clearview website via providers. Such an action would also have little effect, because searches can also be done outside the website. Instead of having online access to the database, you can also use a Clearview service to identify people based on their photo.
Incidentally, there is no insight into the use of Clearview in the Netherlands. The fine of 30 million follows a complaint from Bits of Freedom in 2023. Another spokeswoman for Bits of Freedom says she suspects that the police still use the service. But hard evidence is lacking. She is also in the dark about possible use by Dutch intelligence and security services.
Research of BuzzFeed in February 2020 revealed that 51 to 100 searches were submitted to Clearview by the Dutch police. Authorities in Belgium have also been snooping, as the logs show. The biometric surveillance system was used there, as well as in many other countries. People working for 2,228 law enforcement agencies, other institutions and also companies had access, according to lists from BuzzFeed. Most customers used the tool at the time on the basis of a free trial subscription that usually lasted 30 days.
Use by Dutch police?
Then-Minister Ferd Grapperhaus (Justice and Security) did not rule out in 2021, after he had previously spoken out about scraping, that an individual police officer had once visited the Clearview website and made a number of queries. But that does not mean that the system has been put into operation, according to the minister. ‘This technology is not used for police work.’
According to Bits of Freedom, the AP investigation has not yielded any new facts. Similar investigations have been conducted in Italy, France, Greece and the United Kingdom for two years or more. But Nadia Benaissa still thinks it is important that research has now been conducted specifically aimed at the Netherlands. The fine has sent a clear signal that these violations must not continue. If this can deter government institutions and companies, much has already been achieved, according to Bits of Freedom. In America, Clearview has agreed under pressure from civil rights organizations to no longer sell its controversial software to companies in the US. There is also a large class action lawsuit pending there, in which people have collectively taken Clearview to court.