法律翻译｜奥地利监管机构就Clearview AI公司违反GDPR条款作出决定

译者 | 孙书朋 西南政法大学硕士

一审 | 廖林风 清华大学法学学士

二审 | peipei 英国布里斯托大学法学硕士

编辑 | NYZ 武汉大学本科

         于杰 上海对外经贸大学本科

责编 | 戚琳颖 大连海事大学本科 

Decision by the Austrian SA against Clearview AI Infringements of Articles 5, 6, 9, 27 GDPR

奥地利监管机构就Clearview AI公司违反GDPR第5条、第6条、第9条和第27条作出决定

Date of decision: 10 May 2023 

Cross-border case or national case: National case

Controller: Clearview AI

Legal references: Article 5, Article 6, Article 9, Article 27 GDPR

Decision: Infringement of the GDPR, Order to erase complainant’s data, Order to name an Article 27 representative

Key words: Facial recognition; biometric data 

决定日期：2023年5月10日

跨境案件/国内案件：国内案件

控制者：Clearview AI公司

法律索引：GDPR第5条、第6条、第9条和第27条

决定：Clearview AI公司违反GDPR、监管机构命令其删除申诉人的数据、监管机构命令其委任一名第27条规定的GDPR代表

关键词：人脸识别；生物特征数据

（图片源于网络）

Origin of the case

Following a complaint the Austrian SA (DSB) issued a decision against the facial recognition company Clearview AI on the 10th of May 2023.

案件起因

奥地利监管机构（数据保护监管机构）在收到申诉后，于2023年5月10日针对Clearview AI人脸识别公司作出决定。

The company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources (media outlets, social media, online videos) via web scraping. It offers a sophisticated search service which allows, through AI systems, creating profiles on the basis of the biometric data extracted from the images. The profiles can be enriched by information linked to those images such as image tags and geolocation or the source web pages.

Due to a request for access, the complainant found out that his image data is also processed by Clearview AI. Thereupon he lodged a complaint with the Austrian SA.

Key Findings

The DSB found that Clearview AI infringed the following provisions of the GDPR:

裁判要旨

数据保护监管机构认定Clearview AI公司违反GDPR中的下列条款：

Article 5(1)(a): The processing of the complainant's personal data lacked lawfulness, fairness and transparency.

Article 5(1)(b): The processing carried out by Clearview AI serves a completely different purpose from the original publication of the complainant's personal data (especially photographs).

Article 5(1)(c): The permanent storage of personal data also constitutes a breach of data minimisation principle.

Article 9(1): The scanning of the complainant's face, the extraction of his uniquely identifying facial features and the translation of these features into vectors constitutes processing of special categories of personal data. An exception to the processing prohibition pursuant to Article 9(2) does not apply in this case, which is why the processing was carried out in violation of Article 9(1) GDPR.

To the extent that the complainant's personal data did not constitute special categories of personal data and thus Art. 9 GDPR did not apply, the processing would be unlawful:

Article 6(1): of Clearview AI could only have been covered by Article 6(1)(f) GDPR. After an extensive weighing of interests, the DSB came to the conclusion that, due to the serious intrusion into his privacy, the interests of the complainant clearly outweighed the purely commercial interests of Clearview AI.

（图片源于网络）

Decision

The Austrian SA found that Clearview AI infringed the above provisions of the GDPR.

决定

奥地利监管机构认定Clearview AI公司违反了上述GDPR条款。

Clearview AI was ordered to erase the complainant’s personal data and to designate a representative within the European Union.

奥地利监管机构命令Clearview AI公司删除申诉人的个人数据并在欧盟境内指定GDPR代表。

原文链接：https://edpb.europa.eu/news/national-news/2023/decision-austrian-sa-against-clearview-ai-infringements-articles-5-6-9-27_en