Clearview AI’s saga in Europe underscores the clash between international tech firms and supposedly robust EU privacy laws. Clearview’s refusal to pay fines and its claim of being outside EU jurisdiction highlight the enforcement challenges that regulators face in the digital age.
In July 2022, Greece’s data protection authority made waves across Europe’s privacy community. It handed Clearview AI, a secretive American tech startup, a record-breaking €20 million fine, ruling that the company had illegally harvested and processed the personal data of Greek citizens in blatant violation of the European Union’s General Data Protection Regulation (GDPR).
The ruling was a victory for privacy advocates. “Historic,” is how Konstantinos Kakavoulis, a lawyer with the Greek digital rights group Homo Digitalis, described it. His organization was among those that filed the initial complaint, which ultimately led to the fine–the largest ever levied by Greece’s Data Protection Authority (DPA) against a private company.
Greece wasn’t alone in trying to rein in Clearview. Regulators in France, Italy, the Netherlands, and Austria also ordered the company to delete European citizens’ data and imposed roughly €100 million in penalties.
Clearview, however, has yet to pay a single euro, a joint investigation by the Greek newsroom Solomon and Italy’s IrpiMedia has found. Despite mounting fines and explicit bans, the company appears to continue exploiting European data with little consequence.
The standoff between Clearview and EU regulators exposes a glaring weakness in Europe’s privacy regime: enforcement. While GDPR was designed as the world’s toughest data privacy law, Clearview’s defiance raises a troubling question: Can the EU hold global tech companies accountable?
In several high-profile cases, the answer has been yes, according to experts, but only when those companies in question, like Google, Amazon, and Meta, have an established presence in the EU.
All of this is unfolding as other, lesser-known facial recognition services — with similarly opaque practices — appear to be thriving quietly in the background, raising further concerns about the scale of unregulated biometric surveillance across borders.
Clearview AI, a US-based facial recognition company, has amassed one of the world’s largest biometric databases by systematically scraping billions of images from the internet without consent.
The company collects photographs from social media, news sites, and online sources, assembling detailed profiles of individuals without their knowledge. A single image– whether from a birthday post or a CCTV camera–can be enough to link a face to a vast web of personal data. Clearview markets its technology to law enforcement as a crime-solving aid, matching faces to photos pulled from social media, news sites, and other online sources.
Privacy advocates call it mass surveillance. They argue that Clearview’s indiscriminate collection of biometric data violates fundamental rights and tramples over privacy laws meant to protect individuals from mass data abuse. Critics also point to the company’s ideological leanings and deep ties to the US political right, framing its model as part of a broader trend of weaponizing surveillance in the name of security.
The company’s practices sparked a wave of regulatory pushback across Europe. Authorities in France, Italy, the Netherlands, and Austria concluded that Clearview had no legal basis to process the biometric data of EU citizens. They cited the company’s failure to obtain consent, its lack of transparency, and multiple breaches of the GDPR. Regulators ordered Clearview to delete all data related to European citizens and halt further collection.
Several EU regulators publicly condemned the company. “Facial recognition is a highly intrusive technology that you cannot simply unleash on anyone in the world,” said Aleid Wolfsen, chair of the Dutch DPA, when announcing a fine against Clearview in September 2024. “We have to draw a very clear line.”
Clearview has ignored EU regulators’ orders. It hasn’t paid its fines nor, it appears, deleted European data, despite mounting penalties and explicit bans.
Several legal and jurisdictional loopholes help explain why. While European regulators can issue decisions without real enforcement mechanisms, those rulings remain largely symbolic.
“The case of Clearview shows that simply issuing a decision against a company is not always enough to stop violations of the law,” said a spokesperson for None of Your Business (NOYB), an Austrian digital rights nonprofit that filed complaints against Clearview AI. “These decisions must be flanked by measures, such as fines, that are effectively enforced.”
“The GDPR is one of the strictest data protection laws and has become the model for the adoption of several other data protection laws globally,” said Ioannis Kouvakas, Senior Legal Officer and Assistant General Counsel at Privacy International (PI), which was a driving force behind complaints against Clearview. “However, it means nothing if it cannot be properly enforced.”
At the heart of the issue is a legal vacuum: there are no existing treaties or international agreements between EU countries like Greece and the US that allow for the enforcement of such fines against American companies. Without a mechanism to compel compliance, European regulators are left issuing penalties that, for companies like Clearview, may amount to little more than warnings on paper.
One of the biggest obstacles regulators face is that Clearview AI appears to have no offices, assets, or legal representatives in the European Union.
The GDPR was designed to apply extraterritorially — covering any company processing EU residents’ data, regardless of where it’s based. But enforcing penalties across borders is another matter entirely.
EU data protection authorities lack direct jurisdiction to seize assets or compel payment in the US. If a company like Clearview refuses to comply, regulators are left relying on voluntary cooperation — an approach that has yet to prove effective.
A 2021 study for the European Data Protection Board (EDPB) flagged this problem and called for stronger international cooperation. It warned that GDPR fines may be unenforceable abroad, as many countries — including the US — do not recognize foreign administrative penalties as legally binding. The report classified such fines as “public law” matters, which are typically excluded from international enforcement unless a specific treaty exists. It suggested interim fixes–including formal agreements between EU and non-EU regulators, and treating serious GDPR violations like cross-border criminal matters.
The EU has introduced other key digital governance laws–like the Digital Services Act (DSA) and the Digital Markets Act (DMA)–that could strengthen oversight. But as Kouvakas of PI noted, “these will prove to be of little real use if they are not properly enforceable when they are violated in practice.”
Two officials from Greece’s DPA, who requested anonymity in order to speak candidly, told Solomon that enforcement challenges like those posed by Clearview have surfaced in other cases as well. In some instances, personal information — such as phone numbers of Greek citizens — has appeared on websites seemingly operated by US-based entities. Because these platforms often fall outside the EU’s jurisdiction, regulators face persistent difficulties in safeguarding citizens’ data once it crosses borders.
Under Article 27 of the GDPR, companies outside the EU that process European citizens’ data are required to appoint an EU-based representative to liaise with regulators. Clearview never did — a violation in itself, and a key enforcement roadblock.
The company hasn’t just dodged the rules — it’s ignored the process entirely.
Because Clearview is based outside the EU, the Greek DPA routed the penalty notification through diplomatic channels, via Greece’s Ministry of Foreign Affairs, according to two DPA sources. The ministry then attempted to serve the notice to the company through the Greek consulate in New York, where Clearview lists its legal address. But the effort failed. An internal consular document dated September 2024 stated: “Service of the document was not possible… no representative showed up to receive it”. According to Greek authorities, Clearview has not responded at any stage of the proceedings.
Italy encountered a similar roadblock. Authorities also tried to notify the company through the consulate in New York, but the process remains in limbo because authorities have not received a reply. In 2024, the Italian DPA consulted the Avvocatura dello Stato, Italy’s State Attorney General’s Office, which recommended hiring a US law firm to assist–underscoring how regulators are forced to improvise legal solutions in the absence of cross-border enforcement tools.
Clearview has taken a similarly defiant and silent stance elsewhere. In 2021, France’s data protection watchdog, CNIL, issued a formal cease-and-desist order. Clearview didn’t respond. A year later, it skipped its own sanction hearing.
Without an EU-based representative or any meaningful engagement, regulators have been left with little leverage beyond issuing fines and bans, experts told Solomon. So far, those have gone unenforced.
As part of this investigation, Solomon submitted a data subject request to Clearview, inquiring whether the company had collected or retained personal data on one of our EU-based reporters. Clearview failed to respond.
Clearview has consistently rejected the idea that EU regulators have jurisdiction over it.
“Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” said Jack Mulcaire, the company’s chief legal officer, in response to the €30.5 Dutch fine in September 2024.
Access to Clearview’s tool from within the EU appears possible only through a Virtual Private Network (VPN), a move seemingly designed to limit regulatory scrutiny. But limiting direct access doesn’t necessarily exempt the company from EU data laws. By its own admission, the system cannot distinguish between European and non-European citizens when scraping photos from the internet.
Former CEO Hoan Ton-That put it bluntly: “There is no way to determine if a person has French citizenship purely from a public photo from the internet, and therefore it is impossible to delete data from French residents.”
Clearview’s position is clear: it refuses to pay fines or comply with enforcement orders it considers legally or technically invalid.
The company appears to be banking on a legal gray zone: arguing that, because it neither operates nor sells in the EU, it cannot be held accountable by EU regulators. Yet that argument has shown cracks. In a separate case before Germany’s Hamburg DPA, the company claimed to have deleted certain data–an apparent contradiction in its own legal stance.
As part of this investigation, Solomon reached out to Clearview AI multiple times for comment. The company did not respond.
Clearview’s defiance is unfolding against a politically charged backdrop. Under the new US administration, tensions around European efforts to sanction American companies are likely to escalate–particularly as the Trump administration signals a renewed willingness to assert its policies and priorities beyond US borders.
This dynamic is especially relevant in Clearview’s case: the company had reportedly secured $9 million in US government contracts and is increasingly central to domestic law enforcement efforts. US Immigration and Customs Enforcement (ICE) is among its top clients.
Founder Hoan Ton-That — described a “ diehard Donald Trump supporter” in a recent Mother Jones investigation — has longstanding ties to conservative and far-right political circles in the US. He supported Trump’s 2016 campaign and attended his election night party wearing a Make America Great Again (MAGA) hat. Over time, Ton-That brought several far-right figures into Clearview’s orbit, cementing the company’s ideological alignment with the US political right.
The Mother Jones report also detailed the extent of these connections, tracing Clearview’s links to MAGA-aligned investors, Trump donors, and right-wing influences–many of whom have championed anti-immigration and surveillance-driven policies.
These political affiliations may influence the company’s defiant stance toward regulatory oversight, particularly from foreign entities. They may also afford the company a degree of protection or at least embolden its resistance against international legal challenges.
Clearview is not alone. PimEyes, another facial recognition firm with a similar business model, also claims to be beyond the reach of EU enforcement, several privacy experts told Solomon. But unlike Clearview, it is believed to be registered in Belize, not the US, raising further questions about offshore avoidance strategies in the AI surveillance space.
PimEyes is one of several companies thriving in a low-cost, largely unregulated facial recognition market where powerful search tools are accessible online for a small fee and with minimal oversight.
The company denies that it operates as a facial recognition provider, asserting in an email exchange with IrpiMedia that it does not process biometric data. “While facial recognition is designed to analyze biometric characteristics to establish an individual’s identity,” the company said, “our system relies on photo indexing to compare images and identify publicly available websites that host similar content.” It also claims to have implemented safeguards to prevent misuse, including tools to detect searches involving children, email verification requirements, and use activity monitoring.
But PimEyes is just one player in a growing ecosystem of inexpensive facial recognition tools marketed to the public. In testing, IrpiMedia identified other platforms–some also accessible via the Tor browser–offering facial search features that matched users to mugshot databases, sex offender registries, and online news archives. These services often operate anonymously, charge in cryptocurrency, and are hosted in offshore jurisdictions like Belize, compounding enforcement challenges.
Unlike financial fraud or cybercrime, GDPR violations lack a global enforcement framework–there is no international equivalent of an arrest warrant that would allow authorities to pursue uncooperative firms across borders. In the absence of treaties or formal cross-border mechanisms, even the heftiest fines risk becoming symbolic.
A spokesperson for Greece’s DPA confirmed that, under normal circumstances, the Independent Authority for Public Revenue (IAPR) would be responsible for collecting the fine. But in Clearview’s case, the process has effectively ground to a halt.
“Due to the fact that Clearview has no economic activity in Europe, we cannot proceed with the envisaged actions for the registration and collection of the fine,” the spokesperson wrote in an email to Solomon. “This is a problem that we face together with the counterpart supervisory authorities that have imposed corresponding fines on the same company, and for which we are in consultation with them.”
The enforcement mechanisms of different EU countries operate under distinct national laws, making coordinated action difficult.
The IAPR added that “the collection of non-tax fines, especially when it comes to companies that do not have economic activity in Greece or the EU, is hindered when there are no bilateral agreements for the mutual recognition and enforcement of administrative sanctions.”
European regulators are grappling with limited tools to compel compliance from foreign companies. One option is cross-border cooperation. France’s DPA, CNIL, for example, has reportedly pursued this path by engaging the US Federal Trade Commission. But such coordination depends heavily on the willingness and legal authority of the foreign regulator, which can vary significantly.
Outcomes are not always binding, and under the current US administration’s pro-tech policies, European efforts may face even greater resistance. The administration has taken a protective stance towards domestic technology companies, framing foreign sanctions as unfair or politically motivated.
In the Netherlands, authorities have shifted toward deterrence. Rather than solely targeting Clearview, they’ve warned Dutch organizations that using its services could result in significant penalties. The message is clear: if regulators can’t reach Clearview directly, they’ll go after its potential customers.
The Dutch DPA has also taken a rare step of investigating whether Clearview’s directors can be held personally liable for GDPR violations, the agency confirmed to Solomon. Additionally, the regulator has urged lawmakers to consider criminal penalties in such cases and explore mechanisms to enforce EU fines beyond the bloc’s borders.
Still, Dutch officials have offered few details publicly about these measures. The Dutch DPA declined multiple interview requests and refused to release any documents related to its communications with Clearview. In response to public records requests, the agency said even filenames would reveal too much.
Despite limited avenues for enforcement, the Greek DPA said it deliberately imposed the maximum possible penalty on Clearview– a €20 million fine– not because it expected to collect, but because of its symbolic weight. The agency had considered a formal reprimand instead, but chose a harsher measure to signal how seriously it takes these violations, according to two sources.
“It’s the strategy of name and shame,” said a Greek official with direct knowledge of the case, who spoke to Solomon on condition of anonymity. “We don’t expect to get the payment.”
The official added: “We can’t guarantee it won’t happen again… We’re in collaboration with other authorities, and if someone figures out a way [to enforce the fine], we want to know it.”
Part of the difficulty lies in the fragmented nature of enforcement. Each EU country operates under its own legal framework, and while informal collaboration is underway among regulators that have sanctioned Clearview, formal cross-border coordination remains legally out of reach.
As a result, enforcement remains piecemeal–driven by national processes rather than a unified EU-wide mechanism. Behind the scenes, data protection authorities continue to discuss how to collect unpaid fines, but until binding national tools exist, progress is likely to remain slow and uneven.
For now, the EU is left with few tools to compel compliance from companies like Clearview. Without a functioning cross-border enforcement mechanism–or perhaps the political will to create one–even landmark GDPR rulings risk becoming little more than warnings on paper.
Clearview built its empire on ignoring consent, privacy experts said. Will it ignore the consequences, too?
(This story was supported by Tarbell Grants)
Before you go, can you chip in?
Quality journalism is not of no cost. If you think what we do is important, please consider donating and becoming a reader who makes our work possible.
