Facial Recognition Firm Clearview AI Faces Criminal Complaints Over Unpaid GDPR Fines
A legal battle with profound implications for digital privacy and the global reach of data protection laws is escalating in Europe. The controversial facial recognition company, Clearview AI, is now facing criminal complaints after repeatedly ignoring multimillion-euro fines for violating the EU’s General Data Protection Regulation (GDPR).
This move marks a significant new phase in the fight against unauthorized data scraping and the use of biometric information without consent.
The Core of the Controversy: A Database Built on Scraped Images
Clearview AI built its business on a staggering premise: it scraped billions of public images from social media platforms and websites to create a massive facial recognition database. This powerful tool, sold primarily to law enforcement agencies, allows users to upload a photo of an individual and instantly find other public images of that person, potentially linking them to their name and other personal information.
Privacy advocates and data protection authorities (DPAs) across Europe have argued that this practice is a flagrant violation of privacy rights. The core issues are:
- Lack of Consent: Individuals whose images were scraped never gave permission for their biometric data to be collected, stored, or used in a searchable database.
- Unlawful Processing: Under GDPR, processing sensitive biometric data requires an explicit and lawful basis, which regulators say Clearview AI completely lacks.
- Violation of Purpose: Images posted on social media for personal sharing were repurposed for an entirely different and invasive purpose—facial recognition surveillance.
From Civil Fines to Criminal Action
Over the last few years, data protection authorities in several European nations, including France, Italy, Greece, and the UK, have levied massive fines against the company. These fines, often reaching the €20 million mark in each country, were accompanied by orders for Clearview AI to delete all data belonging to their citizens.
However, Clearview AI has consistently argued that it is not subject to EU law, as it is a U.S.-based company with no physical offices or customers in Europe. Consequently, the company has refused to pay the fines or comply with the data deletion orders, effectively ignoring the rulings of sovereign regulators.
This defiance has prompted the privacy advocacy group NOYB (“None of Your Business”) to take the unprecedented step of filing criminal complaints. The group argues that ignoring a final and enforceable order from a national data protection authority constitutes a criminal offense in several countries, including France, Austria, and Greece. If prosecutors agree, this could lead to criminal proceedings not just against the company, but potentially against its executives.
What This Means for Global Tech and Your Privacy
This escalation is more than just a legal dispute with one company; it’s a critical test case for the global enforcement of privacy law. The outcome could set a powerful precedent for how non-EU companies are held accountable for their data practices.
The key takeaway is that GDPR’s authority does not necessarily stop at Europe’s borders. The law is designed to protect the data of EU residents, regardless of where the company processing that data is located. Clearview AI’s case challenges this principle head-on, and European authorities are now using criminal law to prove their regulations have teeth.
For individuals, this situation highlights the vulnerability of any information posted publicly online. What you share for friends and family can be easily repurposed by companies for commercial or surveillance purposes without your knowledge.
How to Better Protect Your Digital Image
While it’s difficult to completely prevent determined data scraping, you can take steps to minimize your exposure and protect your biometric data.
- Set Social Media Profiles to Private: This is the single most effective step. Scrapers primarily target public profiles. Regularly review the privacy settings on all your accounts, including Facebook, Instagram, and LinkedIn, and restrict your audience to “Friends” or “Connections” only.
- Limit Publicly Available Photos: Be mindful of where your photo appears online. This includes old forum avatars, public blog posts, or company websites. If possible, untag yourself from public photos posted by others.
- Think Before You Post: Before uploading a new photo, consider the context and visibility. Once an image is on the public internet, you lose control over how it might be used by third parties.
- Use Privacy Tools: Explore services that can help you find and request the removal of your data from data brokers and other online sources. While not always effective against non-compliant companies, they can reduce your overall digital footprint.
The legal battle against Clearview AI underscores a modern reality: our digital identity is valuable and vulnerable. As regulators move to enforce privacy laws more aggressively, it is crucial for both individuals and businesses to understand the responsibilities and risks associated with personal data in a connected world.
Source: https://go.theregister.com/feed/www.theregister.com/2025/10/28/noyb_criminal_charges_clearview/
