Clearview AI — €100 million in fines for biometric data without consent
The company that scraped billions of photos from the internet
Clearview AI is a US company that scraped over 30 billion photographs from publicly available sources — social networks, news sites, personal websites — without users' knowledge or consent. From these images, it built a facial recognition database and offered it to law enforcement and private companies.
European supervisory authorities responded with a series of fines totaling over €100 million. However, Clearview AI has not paid most of them and has not stopped processing European citizens' data.
Fines across Europe
| Country | Fine | Year |
|---|---|---|
| France (CNIL) | €20 million | 2022 |
| Italy (Garante) | €20 million | 2022 |
| Greece (HDPA) | €20 million | 2022 |
| Netherlands (AP) | €30.5 million | 2024 |
| United Kingdom (ICO) | £7.5 million | 2022 |
In October 2025, Austrian NGO noyb filed a criminal complaint against Clearview AI's management — executives may face criminal prosecution for ignoring regulatory decisions.
Why this case matters
Biometric data is not ordinary data
Facial recognition works with biometric data — a special category of personal data under Article 9 of the GDPR. Processing requires explicit consent or another lawful exception. Clearview AI had neither.
"Publicly available" does not mean "free to use"
Clearview AI argued the photos were publicly accessible. Regulators rejected this argument. The fact that data is publicly available does not mean it can be processed without a legal basis. Posting a photo on social media is not consent to its use for facial recognition.
Enforcement has global reach
GDPR protects European citizens' data regardless of where the processor is based. A US company is subject to European regulation if it processes data of European residents — even without a physical presence in the EU.
Lessons for businesses
The Clearview AI case is extreme, but the principles apply universally:
- Consent must be active and informed. Passive "consent" from a user visiting a website or posting a photo does not exist.
- Processing must have a legal basis. Every type of processing — from cookies to analytics to personalization — requires a clear legal basis.
- Documentation is key. If you cannot prove how and when you obtained consent, the regulator will assume you didn't.
Waulter CMP ensures every consent is documented, timestamped, and traceable. Audit trail, integration with legal documents, and granular scenario management — these are the tools that make a difference during an inspection.
Sources: EDPB — national supervisory authority decisions (FR, IT, GR, NL, UK), noyb.eu, gdpr.cz (April 2026)