Noyb files criminal complaint against Clearview AI over mass facial-recognition data scraping
The privacy rights group noyb has filed a criminal complaint in Austria against Clearview AI and its executives, alleging persistent violations of EU data protection law. The US-based facial recognition firm, already fined by several European regulators for unlawful biometric data processing, is accused of ignoring EU enforcement orders and continuing to operate outside European legal frameworks.
Clearview AI, a US company founded in 2017, builds facial recognition databases by scraping billions of publicly available images from websites and social media platforms. According to the company’s own claims, its database now contains over 60 billion photos, which allow users to identify individuals simply by uploading a single image. The software then returns matching photos and related metadata, such as webpage links or subpage names.
The company promotes its technology primarily to law enforcement and security agencies, but investigations have revealed that private corporations, including large retailers and banks, have also used Clearview’s services. The company’s practices were first brought to public attention by The New York Times in 2020, sparking widespread criticism from privacy advocates and regulators.
Previous enforcement actions across Europe
Since 2021, multiple European data protection authorities (DPAs) have found Clearview AI’s activities to be incompatible with the EU General Data Protection Regulation (GDPR).
- France’s CNIL, Greece’s Hellenic DPA, Italy’s Garante, the Netherlands’ AP, and the UK’s ICO have each imposed fines amounting to roughly €100 million in total, citing unlawful processing of biometric data and lack of user consent.
- The Austrian DPA also deemed Clearview’s operations illegal, and several regulators have issued bans prohibiting the company from handling Europeans’ personal data.
However, Clearview AI has largely ignored these sanctions. The company did not contest most of the decisions and has not paid the fines. Only in the United Kingdom did it file an appeal, which remains pending before national courts.
This situation has exposed a major enforcement gap in the EU’s ability to compel non-EU companies to comply with its privacy rulings, particularly when the companies have no physical presence within the European Union.
the new criminal complaint
Noyb (None of Your Business) – the Vienna-based digital rights organisation led by privacy activist Max Schrems – has escalated the matter by filing a criminal complaint with Austrian prosecutors. Unlike administrative GDPR fines, which are imposed by data protection authorities, criminal sanctions can target both companies and their executives personally.
The legal basis for the complaint lies in Article 84 of the GDPR, which permits EU member states to establish criminal penalties for certain data protection breaches. Austria has implemented this through § 63 of its Data Protection Act, allowing prosecutors to pursue individuals responsible for serious violations.
If the case proceeds, Clearview AI’s managers could face personal liability and potential prison sentences, especially if they travel to or conduct business within EU territory.
Statements from Max Schrems and noyb
Max Schrems described Clearview’s mass-scale facial recognition as ‘extremely invasive,’ warning that it enables ‘mass surveillance and immediate identification of millions of people.’ He argued that such systems undermine the principles of privacy and freedom that underpin democratic societies:
‘Clearview AI amassed a global database of photos and biometric data, which makes it possible to identify people within seconds. Such power is extremely concerning and undermines the idea of a free society, where surveillance is the exception instead of the rule.’
Schrems also criticised the lack of effective enforcement mechanisms in the EU:
‘Clearview AI seems to simply ignore EU fundamental rights and just spits in the face of EU authorities.
