DECISION SUMMARY
What happened
On 10 February 2022, Italy's Garante per la Protezione dei Dati Personali adopted Decision 9751362, imposing a €20 million administrative fine on Clearview AI Inc, a US-based facial-recognition company. Alongside the fine, the Garante ordered Clearview to delete all data relating to individuals in Italy, prohibited any further processing of personal data of individuals in Italy, ordered Clearview to designate a representative in the EU under Article 27 GDPR, and required Clearview to pay a separate procedural penalty for failure to cooperate.
The investigation followed complaints by the Italian digital-rights group Hermes Center for Transparency and Digital Human Rights and others, who alleged that Clearview's scraping operations had collected facial images of Italian residents and made them searchable to Clearview's commercial and government customers. The Garante undertook a coordinated investigation alongside the French CNIL, the UK ICO, the Greek HDPA, and the Dutch AP. Each authority reached substantively similar conclusions and imposed parallel sanctions in 2022-2023; the Italian decision came first chronologically.
Clearview's business model, as described in the decision, involves systematically crawling publicly accessible web pages (social media profiles, news articles, blog posts) to download photographs, extracting biometric facial vectors from each photograph using a proprietary computer-vision model, and indexing the vectors in a searchable database. A customer (typically a law enforcement agency, but Clearview's commercial customer base has been broader at various times) submits a query photograph; the Clearview system returns the set of indexed photographs whose biometric vectors are closest matches, along with the source URLs and any associated metadata. The database is reported by Clearview to contain more than 30 billion images.
What the Garante found
The first substantive finding is Article 3 extraterritoriality. Clearview has no establishment in the EU. Article 3(2)(b) extends GDPR application to controllers not established in the EU where they process personal data of data subjects who are in the EU in connection with the monitoring of their behaviour as far as their behaviour takes place within the EU. The Garante found that scraping the publicly available images of Italian residents and indexing them for identification searches constitutes monitoring of behaviour, particularly because the system enables retrospective and ongoing identification of individuals based on their physical appearance, location and depicted activities. Article 3 jurisdiction was therefore established.
The Article 6 lawful-basis finding is straightforward: Clearview could not identify any Article 6(1) basis. Consent (6(1)(a)) was not obtained from the data subjects whose images were scraped. Contract (6(1)(b)) was not applicable because there was no contract with the data subjects. Legal obligation (6(1)(c)) did not apply. Vital interests (6(1)(d)) did not apply. Public task (6(1)(e)) might be argued for narrow law-enforcement purposes under Member State law, but not for Clearview's general commercial database. Legitimate interests (6(1)(f)) requires a balancing test; the Garante found that the data subjects' fundamental-rights interests in not being subjected to biometric identification outweighed Clearview's commercial interest.
The Article 9 finding is structurally independent. Article 9(1) prohibits processing of special categories of personal data, including biometric data for the purpose of uniquely identifying a natural person. None of the Article 9(2) exceptions applied. The Garante also found infringements of Article 5 (fairness, transparency, purpose limitation, storage limitation), Article 13/14 (information to data subjects), Article 15 (data subject access), and Article 27 (failure to designate an EU representative). The cluster of findings reflects the comprehensive incompatibility of Clearview's business model with the GDPR framework.
Why this case matters
The Clearview decisions across Italy, France, UK, Greece, the Netherlands and (subsequently) Germany establish two doctrinally significant points. First, the GDPR has extraterritorial bite: a US company with no EU establishment can be fined for processing the data of EU residents collected from publicly available web sources. Second, the publicly-available nature of source data does not cure a lawful-basis problem: scraping images that were originally posted publicly does not create consent for biometric processing of those images for unrelated identification purposes.
The enforcement-collection challenge remains. Clearview disputes EU jurisdiction and has not paid the fines. Cross-border collection mechanisms under the Hague Conventions and bilateral treaties are slow and uncertain. The practical effect of the decisions is therefore primarily prohibitive: Clearview is barred from processing the data of EU residents, and its EU customer base has dwindled to effectively zero. The financial fine is symbolic rather than collected.
For the doctrinal lineage to the EU AI Act, the Clearview decisions are the regulatory ancestors of Article 5(1)(e) of Regulation (EU) 2024/1689, which prohibits placing on the market or putting into service of AI systems that create or expand facial-recognition databases through untargeted scraping of facial images from the internet or CCTV footage. The Clearview decisions established that this was prohibited under the GDPR, and the AI Act lifts the prohibition into a directly-applicable AI-system-specific rule. The two regulatory regimes now overlap, with the GDPR applying to processing operations and the AI Act applying to placing on the market.