Clearview’s status as an international pariah really hasn’t changed much over the past few years. It may be generating fewer headlines, but nothing’s really changed about the way it does business.

Clearview has spent years scraping the web, compiling as much personal info as possible to couple with the billions of photos it has collected. It sells all of this to whoever wants to buy it. In the US, this means lots and lots of cop shops. Also, in the US, Clearview has mostly avoided running into a lot of legal trouble, other than a couple of lawsuits stemming from violations of certain states’ privacy laws.

Elsewhere in the world, it’s a different story. It has amassed millions in fines and plenty of orders to exit multiple countries immediately. These orders also mandate the removal of photos and other info gathered from accounts of these countries’ residents.

It doesn’t appear Clearview has complied with many of these orders, much less paid any of the fines. Clearview’s argument has always been that it’s a US company and, therefore, isn’t subject to rulings from foreign courts or mandates from foreign governments. It also appears Clearview might not be able to pay these fines if forced to, considering it’s now offering lawsuit plaintiffs shares in the company, rather than actual cash, to fulfill its settlement obligations.

Australia is one of several countries that claimed Clearview routinely violated privacy laws. Australia is also one of several that told Clearview to get out. Clearview’s response to the allegations and mandates delivered by Australian privacy regulators was the standard boilerplate: we don’t have offices in the Australia so we’re not going to comply with your demands.

Perhaps it’s this international stalemate that has prompted the latest bit of unfortunate news on the Clearview-Australia front. The Office of the Australian Information Commissioner (OAIC) has issued a statement that basically says it’s not going to waste any more time and money trying to get Clearview to respect Australia’s privacy laws. (h/t The Conversation)

Before giving up, the OAIC has this to say about its findings:

That determination found that Clearview AI, through its collection of facial images and biometric templates from individuals in Australia using a facial recognition technology, contravened the Privacy Act, and breached several Australian Privacy Principles (APPs) in Schedule 1 of the Act, including by collecting the sensitive information of individuals without consent in breach of APP 3.3 and failing to take reasonable steps to implement practices, procedures and systems to comply with the APPs.

Notably, the determination found that Clearview AI indiscriminately collected images of individuals’ faces from publicly available sources across the internet (including social media) to store in a database on the organisation’s servers. 

This was followed by the directive ordering Clearview to stop doing business in the country and delete any data it held pertaining to Australian residents. The statement notes Clearview’s only responses were a.) challenging the order in court in 2021 and b.) withdrawing entirely from the proceedings two years later. The OAIC notes that nothing appears to have changed in terms of how Clearview handles its collections. It also says it has no reason to believe Clearview has stopped collecting Australian persons’ data.

Despite all of that, it has decided to do absolutely nothing going forward:

Privacy Commissioner Carly Kind said, “I have given extensive consideration to the question of whether the OAIC should invest further resources in scrutinising the actions of Clearview AI, a company that has already been investigated by the OAIC and which has found itself the subject of regulatory investigations in at least three jurisdictions around the world as well as a class action in the United States. Considering all the relevant factors, I am not satisfied that further action is warranted in the particular case of Clearview AI at this time.

That’s disappointing. It makes it clear the company can avoid being held accountable for its legal violations by simply refusing to honor mandates issued by foreign countries or pay any fines levied. It can just continue to be the awful, ethically-horrendous company it has always been because, sooner or later, regulators are just going to give up and move on to softer targets.

[…]

Source: Australian Regulators Decide To Do Absolutely Nothing About Clearview’s Privacy Law Violations | Techdirt

Privacy authorities in the Netherlands have imposed a €290 million ($324 million) fine on ride-share giant Uber for sending driver data to servers in the United States – “a serious violation” of the EU’s General Data Protection Regulation (GDPR).

According to the Dutch Data Protection Authority (DPA), Uber spent years sending sensitive driver information from Europe to the US. Among the data that was transmitted were taxi licenses, location data, payment details, identity documents, and medical and criminal records. The data was sent abroad without the use of “transfer tools,” which the DPA said means the data wasn’t sufficiently protected.

“Businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union,” Dutch DPA chairman Aleid Wolfsen said of the decision. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”

The Dutch DPA said that the investigation that led to the fine began after complaints from a group of more than 170 French Uber drivers who alleged their data was being sent to the US without adequate protection. Because Uber’s European operations are based in the Netherlands, enforcement for GDPR violations fell to the Dutch DPA.

Unfortunately for Uber, it already has an extensive history with the Dutch DPA, which has fined the outfit twice before.

The first came in 2018 when the authority fined Uber €600,000 for failing to report a data breach (a slugfest that several EU countries joined in on). The latter €10 million fine came earlier this year after Dutch officials determined Uber had failed to disclose data retention practices surrounding the data of EU drivers, refusing to name which countries data was sent to, and had obstructed its drivers’ right to privacy.

[…]

The uncertainty Uber refers to stems from the EU’s striking down of the EU-US Privacy Shield agreement and the years of efforts to replace it with a new rule that defines the safe transfer of personal data between the two regions.

Uber claims it’s done its job under the GDPR to safeguard data belonging to European citizens – it didn’t even need to make any data transfer process changes to comply the latest rules.

[…]

Source: Dutch officials fine Uber €290M for GDPR violations • The Register