When GDPR Gets Personal: Dutch DPA Holds Clearview AI Directors Accountable

Written By Diana Andrade

In September 2024, the Dutch Data Protection Authority (DPA) made headlines by announcing an unprecedented move to hold the directors of Clearview AI personally liable for GDPR violations. This case, involving a fine of €30.5 million against the company, marked a pioneering moment in the enforcement of the General Data Protection Regulation (GDPR), signaling a shift towards individual accountability for corporate executives who knowingly perpetuate non-compliance.

Background: The Case Against Clearview AI

Clearview AI, a facial recognition software provider, has been at the center of multiple GDPR enforcement actions across Europe. The company collected vast amounts of personal data, including images of individuals, from publicly available sources such as social media and websites, without obtaining the consent of the data subjects. Clearview AI’s global database allowed its customers to perform facial recognition searches by comparing uploaded images to those in its database. This practice led to widespread criticism and complaints from privacy activists and digital rights organizations.

Between 2021 and 2024, Clearview AI faced numerous fines for breaching GDPR principles, including transparency, lawfulness, and purpose limitation. Despite these penalties, the company failed to halt its violations, prompting the Dutch DPA to escalate its enforcement measures.

The Dutch DPA’s Decision: Holding Directors Accountable

In a groundbreaking decision, the Dutch DPA not only imposed an incremental penalty of up to €5.1 million for continued non-compliance but also initiated an investigation into the potential personal liability of Clearview AI’s directors. This marks the first time in GDPR enforcement history that a supervisory authority has explicitly pursued personal accountability for C-level executives.

The DPA’s rationale is clear: “This liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations.” The move underscores the regulatory focus on ensuring that corporate leaders take responsibility for their organizations’ compliance with data protection laws.

Why This Case Matters

The Dutch DPA’s actions set a significant precedent for GDPR enforcement. Key implications include:

  1. A New Era of Accountability: The case highlights a shift in enforcement priorities, with regulators targeting individuals at the helm of non-compliant organizations. This development serves as a warning to executives that they cannot hide behind their companies’ legal entities.

  2. Deterrent Effect: By pursuing personal liability, the Dutch DPA aims to deter other organizations and their leaders from disregarding GDPR obligations, even in the face of fines or other enforcement actions.

  3. Strengthening GDPR Compliance: This case emphasizes the importance of robust compliance programs and executive oversight. Organizations must ensure their leadership actively supports and enforces data protection measures.

Insights from the DLA Piper GDPR Fines and Data Breach Survey 2025

According to the DLA Piper GDPR Fines and Data Breach Survey 2025, there will be a continued focus on the personal liability of company officers, directors, and other individual members of management bodies for infringements of GDPR by regulators as a lever to drive better compliance. The Dutch DPA’s stated intention to investigate whether the directors of Clearview AI can be held personally responsible for the company’s alleged ongoing violations of GDPR is a high-profile example.

The survey predicts that the focus on personal liability of individual members of management bodies will persist in 2025. Whether regulators have the legal powers to impose personal liability for GDPR infringements is a question of domestic law, and the position varies among Member States. Nevertheless, the Dutch DPA’s statement of intent is expected to inspire more attempts by supervisory authorities to hold officers, directors, and others in management individually liable for GDPR infringements. Personal liability is seen as a powerful lever to drive compliance, encouraging executives to take proactive measures to ensure their organizations adhere to data protection regulations.

Lessons for Organizations

To avoid similar scrutiny, organizations should:

  1. Ensure Executive Involvement: C-suite executives must be actively engaged in overseeing GDPR compliance and allocating sufficient resources to data protection efforts.

  2. Adopt a Culture of Accountability: Encourage a top-down approach to compliance, where leaders set the tone for ethical and lawful data practices.

  3. Conduct Regular Reviews: Periodically audit compliance programs to identify and address gaps, particularly in high-risk areas like data collection and processing.

  4. Strengthen Governance: Clearly define roles and responsibilities within the organization to prevent negligence and ensure accountability at all levels.

Why This is Relevant to Pharma Companies and Clinical Trials

For pharma companies conducting clinical trials, the implications of the Dutch DPA’s decision are profound. Clinical trials inherently involve the collection and processing of sensitive personal data, including health information, which is subject to strict GDPR requirements.

The precedent set by the Dutch DPA reinforces the importance of accountability at the executive level. In an industry where the stakes are high, directors and officers must ensure robust data protection practices are in place to prevent potential violations.

Pharma companies must act now to strengthen their compliance frameworks and ensure executive accountability. RD Privacy specializes in supporting life sciences organizations with GDPR compliance, from clinical trials to broader data protection strategies. Reach out to RD Privacy today to protect your organization, ensure compliance, and foster trust in your clinical research.

Conclusion

The Dutch DPA’s case against Clearview AI directors is a watershed moment in GDPR enforcement, signaling a tougher stance on personal liability. By targeting executives who knowingly permit violations, regulators are reinforcing the importance of accountability at the highest levels of corporate governance. For organizations, this serves as a stark reminder to prioritize compliance and foster a culture of transparency and responsibility.

The case also raises broader questions about the future of GDPR enforcement: Will other supervisory authorities follow suit? And how will this shift impact the strategies of organizations navigating the complex world of data protection?

One thing is certain: 2024 marked the year GDPR enforcement got personal, and the implications will reverberate across industries for years to come.

Best,

Diana

Diana Andrade
Previous

Data Subject Rights in Clinical Trials
Next

NOYB Qualified to Bring Collective Actions: Boost for GDPR Enforcement