Austrian privacy advocacy group noyb has filed a criminal complaint against U.S.-based facial recognition company Clearview AI, accusing it of unlawfully collecting photos and videos of European Union residents to build its biometric database. The complaint, lodged in Austria, argues that Clearview’s practices violate the EU’s General Data Protection Regulation (GDPR) and could expose the company’s executives to personal criminal liability, including possible prison sentences.
In a statement, noyb said Clearview’s large-scale scraping of online images represents a serious breach of European privacy rights. The group noted that Austrian law includes criminal provisions for certain GDPR violations, setting the stage for what could become a landmark case testing whether criminal enforcement can succeed where administrative fines have fallen short.
“Clearview AI amassed a global database of photos and biometric data, which makes it possible to identify people within seconds. Such power is extremely concerning and undermines the idea of a free society, where surveillance is the exception instead of the rule,” said Max Schrems, the Austrian lawyer and privacy activist who leads noyb. Schrems is well-known for winning two historic EU court rulings that invalidated previous U.S.-EU data transfer frameworks.
Clearview AI, which claims to have collected over 60 billion images globally and primarily markets its facial recognition technology to law enforcement, has faced numerous regulatory actions across Europe. Data protection authorities in France, Greece, Italy, and the Netherlands have previously ruled that the company violated GDPR by scraping and processing Europeans’ data without consent. These rulings resulted in cumulative fines nearing €100 million ($116 million).
In the United Kingdom, Clearview is appealing a £7.5 million fine, arguing that its operations fall outside UK jurisdiction since its services are sold exclusively to non-UK law enforcement agencies. However, a UK court dismissed its first appeal in October, ruling that Clearview’s tools do fall under UK GDPR because clients use them to identify individuals and analyze behavior for crime prevention. The case is now being remanded to a lower tribunal, with Clearview retaining the right to appeal further.
If Austrian prosecutors accept noyb’s criminal complaint, it could set a powerful precedent — marking one of the first instances where criminal law is used to enforce GDPR violations and intensifying global scrutiny on companies that process Europeans’ biometric data outside the EU’s jurisdiction.
