この記事は現在英語でのみご利用いただけます。
Clearview AI: The Enforcement Case That Set the Global Standard for Biometric AI Governance
Clearview AI faced enforcement action in Australia, the UK, France, Italy, Greece, and Canada — a coordinated global response that established the compliance expectations for biometric AI and facial recognition. What every board needs to understand.
Key Takeaways
Clearview AI was fined or sanctioned by data protection authorities in Australia, the UK, France, Italy, Greece, and Canada for scraping facial images without consent and creating a biometric identification database — a coordinated global enforcement response unprecedented in AI regulation.
The OAIC found Clearview violated the Australian Privacy Act by collecting sensitive biometric information without consent — establishing that Australian privacy law applies to offshore AI companies that collect data about Australians.
The UK ICO's enforcement action established that facial recognition used for commercial purposes requires explicit consent and has no adequate legitimate interest basis — a principle that applies to any UK business considering facial recognition.
The EU AI Act's prohibition on real-time remote biometric identification in publicly accessible spaces (with limited law enforcement exceptions) directly addresses the risk Clearview represents — and makes similar systems effectively prohibited in the EU.
The Clearview case is the precedent that biometric AI governance must be designed around: the world's data protection regulators treat facial recognition databases built from scraped public images as a fundamental privacy violation regardless of the claimed use case.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
What Clearview did and why regulators responded
Clearview AI built a facial recognition system by scraping billions of images from the public internet — social media platforms, news sites, government databases, and other publicly accessible sources — without the consent of the people in those images. The company sold access to this system primarily to law enforcement agencies, allowing them to identify individuals by uploading a photograph and matching it against Clearview's database. The scale of the database — reportedly over 20 billion images by 2023 — made it the most comprehensive facial recognition system in existence.
The regulatory response was swift and globally coordinated. Clearview faced enforcement action from data protection authorities on four continents, with fines, orders to delete data, and prohibitions on future data collection. The coordinated nature of the enforcement — with authorities in Australia, the UK, France, Italy, Greece, and Canada acting in parallel — reflected the global consensus among privacy regulators that Clearview's model was fundamentally incompatible with data protection law.
The Australian enforcement: extraterritorial reach established
The OAIC's enforcement action against Clearview was particularly significant because Clearview is a US company with no Australian operations. The OAIC found that the Australian Privacy Act applied because Clearview collected personal information from Australians — their facial images — and used that information in a system that could be queried about Australians. The extraterritorial reach of the Privacy Act, established in this enforcement action, is directly analogous to the extraterritorial reach of the EU AI Act: organisations that collect data about or deploy AI affecting Australian residents are subject to Australian law regardless of where they are located.
The broader governance implications
The Clearview enforcement actions establish several principles that apply beyond facial recognition. First, the source of data does not determine its legal status — data that is publicly available is not automatically available for any purpose, and processing biometric data without consent violates privacy law regardless of where the data was obtained. Second, the intended use case does not determine the lawfulness of data collection — law enforcement use does not justify privacy violations at the collection stage. Third, global privacy regulators will coordinate to address AI governance violations that have transnational reach.
For organisations that use or are considering facial recognition, the Clearview enforcement actions define the compliance floor: facial recognition that identifies individuals without their consent, that operates in publicly accessible spaces, or that is built from scraped biometric data is not compliant with privacy law in any major jurisdiction. The EU AI Act's near-prohibition on real-time remote biometric identification in publicly accessible spaces reinforces this position in the EU regulatory framework.