linerbb.blogg.se - Italy fines clearview ai million orders

What happened: the CJEU, the highest EU court, handed down two decisions regarding the GDPR. (2) CJEU rules on GDPR compensation and data subject rights

What to do: Businesses should make sure to follow up on compliance orders within the allotted time to avoid additional sanctions. With enforcement by several European DPAs against Clearview AI, businesses with no presence in the EEA should keep in mind the GDPR’s potential extra-territorial reach, especially given the complexities in complying with the GDPR in the AI, algorithmic decision-making and machine learning contexts. However, it expressly reserved these measures to a separate investigation. In contrast to other EU data protection authorities (“DPAs”), such as the Italian (March 2022) and Hellenic (July 2022) authorities, the Datenschutzbehörde did not impose a general ban on Clearview AI’s operations within Austria or issue a fine against the company. Most recently, the Austrian data protection authority (“Datenschutzbehörde”) decided that Clearview AI is no longer allowed to process a certain complainant’s biometric data, and has to delete all personal data relating to the complainant. This is not the first time that Clearview AI has been subject to enforcement the company’s business operations have caught the attention of multiple data protection regulators around the world. If the company’s failings continue, further penalties are likely to be imposed. However, Clearview AI has not provided the CNIL with evidence that it is now compliant with the order so the CNIL decided to enforce the additional penalty.

As we covered here, last October, the CNIL fined Clearview AI €20 million for various data protection violations, including “intrusive and massive” data processing without consent or a valid legitimate interest. The CNIL, therefore, ordered Clearview to: (i) stop collecting and using personal data linked to individuals in France without any legal basis and (ii) delete the data already collected, with an additional penalty of €100,000 per day of non-compliance after a two-month grace period. What happened: The CNIL fined Clearview AI €5.2 million for failing to comply with the CNIL’s previous order. (1) CNIL imposes an additional sanction on Clearview AI for not complying with its previous order These developments, and more, covered below.

Automated decision-making: Businesses that utilise automated decision-making processes, including on the basis of AI, should be aware of the additional GDPR compliance and transparency requirements surrounding the use of these tools.

Third country data transfers: Businesses that transfer personal data outside of the EEA may want to review their transfer mechanisms in light of new guidance on the EU and South East Asia SCCs, and the DPC’s record-breaking €1.2 billion fine against Meta.

GDPR individuals’ rights: Businesses should look to two new CJEU decisions on the scope of GDPR’s rights to compensation (confirming there is no minimum level of damage required for the right to compensation to apply) and to receive a copy of their personal data being processed (confirming that individuals must be given a “faithful and intelligible” reproduction of all of their personal data in response to a subject access request) two rights individuals commonly exercise following personal data breaches.

Facial recognition: Businesses, including those with no presence in the EEA, face continued challenges in establishing GDPR-compliant facial recognition technology after the French CNIL fined Clearview AI an additional € 5.2 million for failing to comply with its previous order against the company.