法律翻译|奥地利监管机构就Clearview AI公司违反GDPR条款作出决定
译者 | 孙书朋 西南政法大学硕士
一审 | 廖林风 清华大学法学学士
二审 | peipei 英国布里斯托大学法学硕士
编辑 | NYZ 武汉大学本科
于杰 上海对外经贸大学本科
责编 | 戚琳颖 大连海事大学本科
Decision by the Austrian SA against Clearview AI Infringements of Articles 5, 6, 9, 27 GDPR
奥地利监管机构就Clearview AI公司违反GDPR第5条、第6条、第9条和第27条作出决定
Background Information
背景信息
Date of decision: 10 May 2023
Cross-border case or national case: National case
Controller: Clearview AI
Legal references: Article 5, Article 6, Article 9, Article 27 GDPR
Decision: Infringement of the GDPR, Order to erase complainant’s data, Order to name an Article 27 representative
Key words: Facial recognition; biometric data
决定日期:2023年5月10日
跨境案件/国内案件:国内案件
控制者:Clearview AI公司
法律索引:GDPR第5条、第6条、第9条和第27条
决定:Clearview AI公司违反GDPR、监管机构命令其删除申诉人的数据、监管机构命令其委任一名第27条规定的GDPR代表
关键词:人脸识别;生物特征数据
(图片源于网络)
Summary of the Decision
决定概要
Origin of the case
Following a complaint the Austrian SA (DSB) issued a decision against the facial recognition company Clearview AI on the 10th of May 2023.
案件起因
奥地利监管机构(数据保护监管机构)在收到申诉后,于2023年5月10日针对Clearview AI人脸识别公司作出决定。
The company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources (media outlets, social media, online videos) via web scraping. It offers a sophisticated search service which allows, through AI systems, creating profiles on the basis of the biometric data extracted from the images. The profiles can be enriched by information linked to those images such as image tags and geolocation or the source web pages.
据称,该公司所拥有的数据库从全球收录了逾300亿张人脸图像,这些图像均通过网页抓取(web scraping)技术提取自公共网络资源(媒体机构、社交媒体、网络视频)。该公司提供先进的搜索服务,使得用户可以通过人工智能系统,利用从图像中提取的生物特征数据创作画像。与人脸图像相关的信息(诸如图像标签和地理位置或者源网页等)使得这些画像更加丰富立体。
Due to a request for access, the complainant found out that his image data is also processed by Clearview AI. Thereupon he lodged a complaint with the Austrian SA.
申诉人通过请求访问该公司数据发现Clearview AI公司也在处理他的图像数据。因此,申诉人向奥地利监管机构正式提出申诉。
Key Findings
The DSB found that Clearview AI infringed the following provisions of the GDPR:
裁判要旨
数据保护监管机构认定Clearview AI公司违反GDPR中的下列条款:
Article 5(1)(a): The processing of the complainant's personal data lacked lawfulness, fairness and transparency.
第5条第(1)款(a)项:该公司处理申诉人的个人数据缺乏合法性、公平性和透明性。
Article 5(1)(b): The processing carried out by Clearview AI serves a completely different purpose from the original publication of the complainant's personal data (especially photographs).
第5条第(1)款(b)项:该公司处理个人数据(尤其是照片)的用处完全不符合原本公开宣称的目的。
Article 5(1)(c): The permanent storage of personal data also constitutes a breach of data minimisation principle.
第5条第(1)款(c)项:永久储存个人数据也违反了数据最小化原则。
Article 9(1): The scanning of the complainant's face, the extraction of his uniquely identifying facial features and the translation of these features into vectors constitutes processing of special categories of personal data. An exception to the processing prohibition pursuant to Article 9(2) does not apply in this case, which is why the processing was carried out in violation of Article 9(1) GDPR.
第9条第(1)款:扫描申诉人的面部,提取申诉人独特的面部识别特征并将这些特征转化为计算机模型属于处理特殊类型的个人数据。而第9条第(2)款所规定的禁止处理特殊类型个人数据的例外情形不适用于本案,因此该公司处理申诉人个人数据违反了GDPR第9条第(1)款。
To the extent that the complainant's personal data did not constitute special categories of personal data and thus Art. 9 GDPR did not apply, the processing would be unlawful:
就申诉人非特殊类型个人数据而言,此类数据不适用于GDPR第9条,但是处理此类数据也是非法的:
Article 6(1): of Clearview AI could only have been covered by Article 6(1)(f) GDPR. After an extensive weighing of interests, the DSB came to the conclusion that, due to the serious intrusion into his privacy, the interests of the complainant clearly outweighed the purely commercial interests of Clearview AI.
GDPR第6条第(1)款:Clearview AI公司处理非特殊类型个人数据的行为只能由GDPR第6条第(1)款(f)项规制。在广泛权衡利益之后,奥地利数据保护监管机构最终认定:由于申诉人的隐私被严重侵犯,申诉人的利益明显超过了Clearview AI公司的纯商业利益。
(图片源于网络)
Decision
The Austrian SA found that Clearview AI infringed the above provisions of the GDPR.
决定
奥地利监管机构认定Clearview AI公司违反了上述GDPR条款。
Clearview AI was ordered to erase the complainant’s personal data and to designate a representative within the European Union.
奥地利监管机构命令Clearview AI公司删除申诉人的个人数据并在欧盟境内指定GDPR代表。
原文链接:https://edpb.europa.eu/news/national-news/2023/decision-austrian-sa-against-clearview-ai-infringements-articles-5-6-9-27_en
微信扫码关注该文公众号作者