A U.S. tech company scraped billions of photos from the internet, built one of the world’s largest facial recognition databases – and got hit with multi-million euro fines in Europe. The Clearview AI case shows that the GDPR reaches further than many companies outside the EU expect. And that ignoring it comes at a steep price.
Clearview AI collected publicly accessible images from the web on a massive scale and used them to develop facial recognition software, primarily marketed to law enforcement agencies. The French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), found this practice to be a clear breach of the GDPR.
The key issue: even publicly available data cannot simply be collected and processed at will. Under the GDPR, any processing of personal data requires a valid legal basis – and Clearview had none. The CNIL identified multiple violations: unlawful data processing, insufficient rights for affected individuals to access or delete their data, and a failure to cooperate with the authority’s investigations.
In 2022, the CNIL imposed the maximum administrative fine available under the GDPR: €20 million. But Clearview did not comply with orders to delete the unlawfully collected data and stop further processing. The consequence was an additional penalty of €5.2 million in 2023 – bringing the total to over €25 million.
The case also exposes a structural challenge in EU data protection law: while the rules are clear and the fines are substantial, actually enforcing them against companies based outside the EU remains difficult. Clearview has no legal presence in Europe, which makes compliance – and consequences – harder to compel in practice.
The Clearview AI case makes one thing unmistakably clear: the GDPR does not stop at Europe’s borders. Any company that processes personal data of EU residents falls under its scope, regardless of where it is headquartered. Those who collect data without a legal basis, refuse to cooperate with authorities, and ignore deletion orders must expect escalating financial penalties. Europe’s data protection rules are not a formality – they are enforced.