Clearview AI faces criminal complaint in Austria over alleged mass privacy violations

Key Takeaways

Austrian privacy advocacy group noyb announced on Tuesday that it has filed a criminal complaint in Austria against U.S.-based facial recognition company Clearview AI, accusing the firm of illegally collecting and processing photos and videos of European Union residents in violation of the bloc's General Data Protection Regulation.

The complaint, filed with public prosecutors in Austria, targets both Clearview AI and its managers for suspected privacy violations.

According to noyb's statement, Austria's criminal provisions for GDPR violations could expose Clearview and its executives to personal liability, including potential jail time, particularly if they travel to Europe.

Privacy advocate pushes for criminal enforcement

The criminal complaint was filed by noyb, a privacy advocacy organization led by Austrian lawyer Max Schrems, who is known for winning two landmark European Union court rulings that struck down transatlantic data-transfer frameworks.

In a statement released by noyb, Schrems criticized Clearview AI's operations and called for stronger enforcement action.

"Facial recognition technology is extremely invasive. It allows for mass surveillance and immediate identification of millions of people," Schrems said in the statement. "Clearview AI amassed a global database of photos and biometric data, which makes it possible to identify people within seconds. Such power is extremely concerning and undermines the idea of a free society, where surveillance is the exception instead of the rule."

Schrems further stated that Clearview AI has effectively ignored EU authorities and their decisions. "Clearview AI seems to simply ignore EU fundamental rights and just spits in the face of EU authorities," he said in noyb's statement.

The Austrian lawyer also drew attention to the disparity in enforcement priorities.

"We even run cross-border criminal procedures for stolen bikes, so we hope that the public prosecutor also takes action when the personal data of billions of people was stolen, as has been confirmed by multiple authorities," Schrems said.

The company ignores administrative fines and bans

Clearview AI, which markets its facial recognition tools primarily to law enforcement agencies, has already been found in breach of GDPR by regulators in multiple EU member states.

The French, Greek, Italian, and Dutch data protection authorities have collectively imposed fines totaling approximately 100 million euros on the company for its data collection practices.

The Austrian data protection authority has also previously deemed Clearview AI's operations illegal and issued bans.

However, according to noyb, Clearview AI has simply ignored these administrative decisions.

The company lacks an EU establishment and has not paid the imposed fines, allowing it to effectively evade enforcement.

Only in the United Kingdom has Clearview appealed a decision by the British Information Commissioner's Office.

In October 2025, the UK court dismissed Clearview's first appeal, ruling that the service falls under the scope of UK GDPR. The case is now set to return to a lower tribunal.

Clearview AI claims to have collected more than 60 billion images globally by scraping the internet and adding faces found in photos and videos to its database.

The company's technology allows customers to identify people by uploading a photo and obtaining other pictures of the same person, along with links and metadata. Clearview did not immediately respond to a request for comment from Reuters.

Testing criminal enforcement against GDPR violations

The planned Austrian case seeks to test whether criminal enforcement can succeed where administrative penalties have struggled.

While the GDPR primarily relies on administrative fines, Article 84 of the regulation allows EU member states to implement criminal sanctions for certain violations.

Austria has implemented such criminal provisions in Section 63 of its national Data Protection Act.

In contrast to administrative GDPR violations, criminal violations allow actions to be taken against individual managers and enable the use of the full range of criminal procedures, including EU-wide enforcement actions.

If prosecutors accept the complaint and the case succeeds, it could set a precedent for criminal enforcement of GDPR violations and increase pressure on companies that operate outside the EU but process European citizens' data.

Read more: