On the 4th September 2024 came the news that Clearview AI faces a 30.5M ($33.7M) fine for building a Facial Recognition Database. So Clearview AI is located in the USA and the fining organization is the "Autoriteit Persoonsgegevens", which is the Dutch DPA. They are fined for building an illegal database with billions of photos of faces, including those of Dutch citizens.
"Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world," Dutch DPA chairman Aleid Wolfsen said in a press statement.
"If there is a photo of you on the Internet – and doesn't that apply to all of us? – then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China."
Clearview AI has been in regulatory hot water across several countries, such as the U.K., Australia, France, and Italy, over its practice of scraping publicly available information on the internet to build a vast database comprising more than 50 billion photos of people's faces.
The individuals identified from these images are assigned a unique biometric code, which is then packaged as part of intelligence and investigative services offered to its law enforcement clients to "rapidly identify suspects, persons of interest, and victims to help solve and prevent crimes."
The Dutch DPA, in addition to accusing Clearview of collecting users' facial data without their consent or knowledge, said the company "insufficiently" informs the people who are in its database about how their data is used and that it doesn't offer a mechanism to access their data upon request.
Currently, Clearview only offers residents of six U.S. states – California, Colorado, Connecticut, Oregon, Utah, and Virginia – the ability to access, delete, and opt out of profiling.
It also alleged that the New York-based firm did not stop the violations even after the investigation, ordering it to cease them with immediate effect or risk facing an additional fine of €5.1 million ($5.6 million). Furthermore, the ruling bans Dutch companies from using Clearview's services.
"We are now going to investigate if we can hold the management of the company personally liable and fine them for directing those violations," Wolfsen said.
"That liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations."
In a statement shared with the Associated Press, Clearview said it doesn't fall under EU data protection regulations as it does not have a place of business in the Netherlands or the E.U. It also described the decision as "unlawful."
With this last statement, we are getting to the interesting point of this discussion. It's obviously true that laws are not the same in each country. While not very easy to conclude, there are about 249 sovereign states in the world, inclusive some non recognized countries, such as Taiwan. Can we expect that a company from one of these countries abides to all laws of all the other countries, which can even have contradicting laws.
Let's delve a bit into this possible contradiction of EU and USA law.
The United States (USA) and the European Union (EU) have different laws and regulations on various issues, which can sometimes lead to contradictions. Here's an example:
Example: Data Protection
- USA: The General Data Protection Regulation (GDPR) is not applicable in the USA. Instead, the country has its own data protection law called the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA regulates the use and disclosure of protected health information by healthcare providers, insurance companies, and other entities.
- EU: The GDPR applies to all EU member states and requires organizations that process personal data to comply with strict rules regarding transparency, consent, security, and breach notification.
Contradiction:
The main contradiction between the USA and the EU is in their approach to data protection:
- In the USA, companies can collect and use personal data without explicit user consent, as long as they follow HIPAA guidelines.
- In contrast, the GDPR requires organizations to obtain explicit consent from users before collecting or processing their personal data.
This difference has significant implications for businesses operating across both regions. For instance:
- A US-based company may be able to collect and use personal data without obtaining user consent, but if it wants to operate in an EU country, it must comply with the GDPR's stricter rules.
- An EU-based company that operates globally might need to adapt its data protection practices for each region, which can lead to increased complexity and costs.
Other examples of contradicting laws between the USA and the EU include:
- Privacy: The EU has strict privacy regulations (e.g., GDPR), while the USA has a more permissive approach.
- Food labeling: The EU requires food manufacturers to label genetically modified organisms (GMOs) on packaging, whereas in the USA, GMO labeling is voluntary.
- Environmental standards: The EU has stricter environmental regulations than the USA, particularly regarding climate change and pollution.
These contradictions can create challenges for businesses operating across both regions, as they must navigate different regulatory environments to comply with laws and maintain consumer trust.
Of course the problem is that Internet has been an enormous driver of globalization and this globalized Internet world doesn't stop with borders. In fact, we are looking at a world with countries that emerged out of the Renaissance and decolonization of the 20th century. A world where there was no Internet and a border was a border. The implications are huge and difficult.
Start writing here...