Clearview AI: The Enforcement Case That Set the Global Standard for Biometric AI Governance

What Clearview did and why regulators responded

Clearview AI built a facial recognition system by scraping billions of images from the public internet — social media platforms, news sites, government databases, and other publicly accessible sources — without the consent of the people in those images. The company sold access to this system primarily to law enforcement agencies, allowing them to identify individuals by uploading a photograph and matching it against Clearview's database. The scale of the database — reportedly over 20 billion images by 2023 — made it the most comprehensive facial recognition system in existence.

The regulatory response was swift and globally coordinated. Clearview faced enforcement action from data protection authorities on four continents, with fines, orders to delete data, and prohibitions on future data collection. The coordinated nature of the enforcement — with authorities in Australia, the UK, France, Italy, Greece, and Canada acting in parallel — reflected the global consensus among privacy regulators that Clearview's model was fundamentally incompatible with data protection law.

The Australian enforcement: extraterritorial reach established

The OAIC's enforcement action against Clearview was particularly significant because Clearview is a US company with no Australian operations. The OAIC found that the Australian Privacy Act applied because Clearview collected personal information from Australians — their facial images — and used that information in a system that could be queried about Australians. The extraterritorial reach of the Privacy Act, established in this enforcement action, is directly analogous to the extraterritorial reach of the EU AI Act: organisations that collect data about or deploy AI affecting Australian residents are subject to Australian law regardless of where they are located.

The broader governance implications

The Clearview enforcement actions establish several principles that apply beyond facial recognition. First, the source of data does not determine its legal status — data that is publicly available is not automatically available for any purpose, and processing biometric data without consent violates privacy law regardless of where the data was obtained. Second, the intended use case does not determine the lawfulness of data collection — law enforcement use does not justify privacy violations at the collection stage. Third, global privacy regulators will coordinate to address AI governance violations that have transnational reach.

For organisations that use or are considering facial recognition, the Clearview enforcement actions define the compliance floor: facial recognition that identifies individuals without their consent, that operates in publicly accessible spaces, or that is built from scraped biometric data is not compliant with privacy law in any major jurisdiction. The EU AI Act's near-prohibition on real-time remote biometric identification in publicly accessible spaces reinforces this position in the EU regulatory framework.