Information Commissioner (ICO)-Clearview Al Inc. (5/18/2022)

In the course of its investigation the DPA found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis.

Furthermore, in order to exercise their rights under the GDPR, such as the right of access under Art. 15 GDPR, data subjects had to provide Clearview with additional personal data by submitting a photograph of themselves that could be matched against the Clearview database. According to the DPA, this constitutes a significant impediment and deterrent to the exercise of such rights.

In addition, the DPA found that the company had violated several principles of the GDPR. For example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated violated the principle of storage limitation by not providing a data retention policy and thus not being able to ensure that personal data is not held for longer than necessary. Further, Clearview failed to conduct a privacy impact assessment despite the high risk to data subjects’ data.