Privacy International and allies' GDPR complaints against Clearview AI across Europe (2021–ongoing)

In May 2021, Privacy International and a coalition of European digital rights organisations filed coordinated GDPR complaints against Clearview AI Inc. in five European jurisdictions, targeting the US company's practice of scraping more than 10 billion facial images from the internet to build a biometric identification database sold primarily to law enforcement. The complaints were filed simultaneously by Privacy International in the UK and France; by the Hermes Center for Transparency and Digital Human Rights in Italy; by Homo Digitalis in Greece; and by noyb (European Center for Digital Rights) in Austria. The coalition's press release framed the action as addressing the straightforward fact that "extracting our unique facial features or even sharing them with the police and other companies goes far beyond what we could ever expect as online users."

The complaint and legal basis

The complaints argued that Clearview AI's entire business model constituted a GDPR violation at multiple levels simultaneously. Under Article 9, facial recognition data is biometric special-category data, and Clearview had no valid exception to the prohibition on processing it — the company's implicit reliance on Article 9(2)(e) (data "manifestly made public" by the subject) did not apply to images scraped wholesale without context and repurposed for biometric identification. Under Article 6, Clearview had no lawful basis for processing at all: it had no consent, no contract, and claimed legitimate interest — which the complaints argued was outweighed by the fundamental intrusion into individuals' right not to be subjected to surveillance of their bodies every time they appear in a public space. Under Article 5's purpose limitation principle, images posted to social media for social networking purposes could not lawfully be repurposed for commercial biometric surveillance. The company had also failed to appoint an EU representative as required by Article 27, making accountability and enforcement structurally difficult.

The coordinated multi-jurisdiction structure was deliberately chosen rather than incidental: filing in five European jurisdictions simultaneously created multiple enforcement vectors, and the coalition was explicit that facial recognition systems of this type introduce "constant surveillance of our bodies" that no regulatory safeguard short of prohibition or enforcement cessation orders could adequately address.

The enforcement wave

All five jurisdictions found Clearview AI in violation of GDPR.

Italy (Garante per la Protezione dei Dati Personali) moved first. On 10 February 2022, the Garante imposed a €20 million fine, banned further web scraping of images and metadata relating to Italian residents, ordered deletion of Italian residents' biometric data, and required Clearview to designate an EU representative. The Garante found violations of Articles 5, 6, 13–14, 15, and 27.

Greece (Hellenic Data Protection Authority) ruled on 13 July 2022: €20 million fine, violations of GDPR lawfulness and transparency principles, cessation and deletion orders for Greek residents' biometric data.

France (CNIL) ruled on 19 October 2022: €20 million fine, plus a supplementary penalty of €100,000 for each day Clearview failed to delete French residents' data within two months of the decision. The CNIL found violations of Articles 6, 12, 15, 17, and 31 — the Article 31 violation (non-cooperation with the supervisory authority) was separately significant, as it reflected Clearview's pattern of non-engagement with enforcement proceedings rather than just the underlying data collection.

Austria (Datenschutzbehörde, DSB) ruled on 10 May 2023. The DSB imposed no monetary fine but issued a substantive decision finding violations of Articles 5(1)(a), 5(1)(b), 5(1)(c), 6(1), and 9(1), and ordered erasure of the complainant's data and EU representative designation. The DSB's reasoning on Article 6(1)(f) was notable: it found that Clearview's "purely commercial interests" were outweighed by the serious intrusion into individuals' privacy, and that the purpose for which images were originally published was entirely incompatible with Clearview's permanent vectorisation of facial features.

UK trajectory

The UK ICO issued a provisional enforcement notice in December 2021 with a provisional fine of £17 million, finding that Clearview had unlawfully collected images of UK residents, failed to process data in a way that was fair and transparent, and had no lawful basis under UK GDPR. Clearview submitted representations and appealed; the ICO issued its final decision in May 2022. Clearview subsequently brought a legal challenge arguing the ICO lacked jurisdiction over the company given its US domicile and its customers being primarily non-UK law enforcement. On 13 October 2025, the UK Upper Tribunal rejected this argument, confirming that Clearview remains bound by UK GDPR.

Dutch enforcement

In a subsequent, independently initiated investigation not part of the original 2021 coalition complaints, the Dutch Autoriteit Persoonsgegevens ruled on 16 May 2024: a €30.5 million fine — the largest Clearview fine in Europe to date — plus four compliance orders. The Dutch authority specifically cited Clearview's denial of two data subject access requests as a separately enumerated violation alongside the foundational Articles 5, 6, and 9 breaches that all six jurisdictions found.

Compliance gap

Across the enforcement wave, Clearview's response to orders has consistently been non-compliance: the company removed instructions for data access and deletion requests from its website, failed to designate an EU representative as ordered across multiple jurisdictions, and did not delete European residents' biometric data within the ordered timeframes. Regulators have maintained that the company's GDPR obligations remain fully in force regardless of its non-response; the UK Upper Tribunal ruling in 2025 closed the jurisdictional escape route that had been Clearview's most legible defence.

Significance in the corpus

This campaign occupies a distinctive position alongside the #BanBS coalition and the Reclaim Your Face European Citizens' Initiative in the corpus's biometric-surveillance cluster, but its character differs from both. The #BanBS and Reclaim Your Face campaigns were principally political mobilisations demanding prohibition at the legislative level; the Privacy International coalition action was a regulatory enforcement play using existing law against a specific company whose business model was an unambiguous violation of it. The case became a demonstration of GDPR's extraterritorial reach — the ability of European data protection authorities to impose substantial penalties on a US-headquartered company whose product was not marketed into Europe but whose data collection indiscriminately swept European residents. The Italian Garante's February 2022 ruling was the first European DPA to reach a final decision on Clearview, and the cumulative fine total across the five original jurisdictions and the subsequent Dutch enforcement exceeds €100 million — a quantum not seen on biometric surveillance enforcement before these cases.