The business of the American company – consisting in the web scraping of images of internet users, in the matching with metadata identifying the subjects and in the comparison with photos provided by the customers of the application in order to obtain their identification – has been subject to examination by multiple European supervisory authorities.
The U.S. company’s defense was primarily based on the alleged lack of jurisdiction of EU law due to non-applicability of the GDPR.
Cross-border data processing
First, it should be recalled that if a personal data processing takes place in the activities of establishments in several Member States or has an impact on data subjects located in multiple Member States (so-called “cross-border processing”, Art. 4(23) of the GDPR), then the supervisory authority of each Member State is responsible for assessing compliance and, in the event of an established breach, for taking the relevant measures, including imposing sanctions.
Article 55.1 of the Regulation confirms that « Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State ».
The exclusive jurisdiction of the supervisory authority on its territory is confirmed in Article 56.2, which states that «each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State».
Therefore, if a controller (such as Clearview) engages in cross-border processing, it must take into account that such processing will be subject to examination by each national supervisory authority involved.
Cooperation mechanism (“one-stop-shop”)
In the presence of cross-border processing, the legislator has taken care to create the conditions so that the assessments and interventions of each supervisory authorities will be substantially homogeneous. To this end, the GDPR provides for two legal instrument:
- the cooperation mechanism or “one-stop-shop” when the controller or the processor has an establishment on the territory of the Union (articles 56.1 and 60)
- that mutual assistance in the other cases (articles 56.5 and 61, 62).
The cooperation mechanism provides that the supervisory authority of the Member State in which the principal establishment of the controller or the processor is located acts as “lead” authority by handling the case and coordinating the positions taken by the other authorities “concerned“.
The cooperation mechanism not only ensures a homogeneous approach among the various authorities, but also facilitates the controller or processor’s work by allowing them to approach a single point of contact to manage his or her file; in fact, the lead authority is the sole interlocutor (one stop) for the relevant controller or processor.
The condition for being able to use the cooperation mechanism – as mentioned – is the existence of an establishment of the controller or the processor in one of the member states of the Union: the competent authority in the member state in which the establishment is located (or the “main” one, in the case of multiple establishments) is the lead authority.
If the controller or the processor do not have their own establishment in the Union, as is the case of Clearview, and there is a cross-border processing, then each supervisory authority is entitled to judge the impacts of the processing on data subjects located on its territory and mutual assistance is used between the authorities concerned (Art. 61).
The instrument in Article 61 provides for the exchange of information and effective cooperation between authorities in order to ensure consistent application of the regulation.
This is what happened in the Clearview case, which, as a data controller without an establishment in the EU, was subject to examination – with regard to the processing of personal data carried out through its facial recognition service – by a number of supervisory authorities with mutual assistance.
The Swedish authority (DI-2020-2719:A126.614/2020 of 10/2/2021), the Finnish authority, the Hamburg Land Authority (decision 545/2020; 32.02-102), the French CNIL (decision no. MED 2021-134 of 1/11/2021) and the Italian authority (doc. web no. 9751362 of 10/2/2022) have pronounced on the same company and in relation to the same subject matter.