Back to news

Clearview AI — €100 million in fines for biometric data without consent

· Waulter team
Clearview AI biometrics GDPR fines enforcement facial recognition

The company that scraped billions of photos from the internet

Clearview AI is a US company that scraped over 30 billion photographs from publicly available sources — social networks, news sites, personal websites — without users' knowledge or consent. From these images, it built a facial recognition database and offered it to law enforcement and private companies.

European supervisory authorities responded with a series of fines totaling over €100 million. However, Clearview AI has not paid most of them and has not stopped processing European citizens' data.

Fines across Europe

Country Fine Year
France (CNIL)€20 million2022
Italy (Garante)€20 million2022
Greece (HDPA)€20 million2022
Netherlands (AP)€30.5 million2024
United Kingdom (ICO)£7.5 million2022

In October 2025, Austrian NGO noyb filed a criminal complaint against Clearview AI's management — executives may face criminal prosecution for ignoring regulatory decisions.

Why this case matters

Biometric data is not ordinary data

Facial recognition works with biometric data — a special category of personal data under Article 9 of the GDPR. Processing requires explicit consent or another lawful exception. Clearview AI had neither.

"Publicly available" does not mean "free to use"

Clearview AI argued the photos were publicly accessible. Regulators rejected this argument. The fact that data is publicly available does not mean it can be processed without a legal basis. Posting a photo on social media is not consent to its use for facial recognition.

Enforcement has global reach

GDPR protects European citizens' data regardless of where the processor is based. A US company is subject to European regulation if it processes data of European residents — even without a physical presence in the EU.

Lessons for businesses

The Clearview AI case is extreme, but the principles apply universally:

  • Consent must be active and informed. Passive "consent" from a user visiting a website or posting a photo does not exist.
  • Processing must have a legal basis. Every type of processing — from cookies to analytics to personalization — requires a clear legal basis.
  • Documentation is key. If you cannot prove how and when you obtained consent, the regulator will assume you didn't.

Waulter CMP ensures every consent is documented, timestamped, and traceable. Audit trail, integration with legal documents, and granular scenario management — these are the tools that make a difference during an inspection.


Sources: EDPB — national supervisory authority decisions (FR, IT, GR, NL, UK), noyb.eu, gdpr.cz (April 2026)

Want to keep consent under control?

Waulter CMP helps you with consent management, GDPR compliance, and cookie banner optimization.