Today, noyb (None of Your Business), the Vienna-based privacy advocacy organization led by activist and lawyer Max Schrems, submitted a formal criminal complaint to Austrian public prosecutors targeting Clearview AI and its executives.
The move marks a shift from administrative enforcement of data protection laws to the potential for criminal liability, including personal accountability for the company’s leadership and possible EU-wide arrest warrants.
Clearview AI, a New York-based technology company, gained notoriety in 2020 following a New York Times exposé that revealed its secretive harvesting of facial images from across the internet. The firm has since claimed to have amassed over 60 billion facial images, scraped from public websites, social media platforms, and online video stills. Its software allows clients to upload a photo of a person and receive a match from its database, including metadata and links to the original source pages. While Clearview markets its tool primarily to law enforcement agencies, investigations have revealed its use by private corporations, including Walmart and Bank of America.
Several European Data Protection Authorities (DPAs) have ruled that Clearview’s practices clearly violate the General Data Protection Regulation (GDPR), citing the lack of a legal basis for processing biometric data of EU citizens. Between 2022 and 2024, the French CNIL, Greek Hellenic DPA, Italian Garante, and Dutch DPA imposed fines totaling €90.5 million. The UK’s Information Commissioner’s Office (ICO) also levied a £7.5 million fine and ordered the deletion of all UK-related data. Austria’s DPA had previously declared Clearview’s operations illegal.
However, despite these rulings and penalties, Clearview AI has refused to comply with any of the enforcement measures, except in the UK, where it filed an appeal, currently pending a final decision. In the remaining cases, the company neither paid the fines nor ceased processing European data.
Describing the company's behavior as contemptuous of European legal frameworks, Schrems emphasized the need to escalate enforcement beyond the limitations of civil penalties. Under Article 84 of the GDPR, EU member states can implement criminal sanctions for certain data protection breaches. Austria’s national Data Protection Act includes such provisions in §63, enabling criminal prosecution of both companies and their executives.
The criminal complaint filed by noyb invokes these legal avenues, calling for a full criminal investigation into Clearview AI’s operations and the personal liability of its management. If the Austrian prosecutor proceeds with the case, company executives could face arrest if they enter EU territory and may be subject to broader criminal cooperation mechanisms within the Schengen area.
“Clearview AI seems to simply ignore EU fundamental rights and just spits in the face of EU authorities,” Schrems stated, underscoring the unprecedented scale and audacity of the company’s conduct. He likened the situation to criminal cases involving cross-border theft, arguing that data violations of such scale deserve equivalent prosecutorial attention.
Leave a Reply