Today, you upload a happy group photo with friends to social platforms such as Instagram or Facebook; or perhaps photos with your family and friends have long been sitting in your phone’s album, and when you use certain apps, for some reason or due to certain terms, you grant them permission to access your photo library.
In that case, photos containing your faces are very likely to have already been obtained by some unknown company. The face of anyone in those photos—including your own—has already become part of a massive facial database; your facial information has been turned into stored as data. Even through more hidden channels, as long as someone is willing to pay, others can use your face to search and track all information related to you.
Introduction
In today’s digital society, without our knowledge, our facial information is collected, analyzed, and stored without consent. Digital privacy, however, is supposed to be protected on the basis of citizens’ absolute voluntary “consent.” Yet in many cases, users’ data has already been captured by certain platforms or apps before they are even informed. If so, have all those prompts asking for “consent or refusal” become merely decorative? The case of Clearview AI provides an answer—and also the core argument: every photo of you that appears online can become a tool to scan your data, and from the very beginning, you never truly had the power to refuse.
What Clearview Does
Clearview AI is a US-based facial recognition technology company that primarily provides facial search services to law enforcement agencies and government authorities. Its core business model involves the large-scale automatic scraping of more than 50 billion user photos from publicly accessible websites on the internet, including social media platforms, news websites and other web pages. Most individuals whose photos have been included in its database have never been informed, nor have they authorized the collection or use of their photos for facial recognition. The company has drawn intense criticism and sparked enormous controversy in the field of digital privacy. In 2021, Australia’s privacy regulator ruled that Clearview AI had violated privacy laws by collecting facial images of Australian residents without their consent. (Karp, 2024) European countries such as the Netherlands have also imposed fines successively. (Privacy Laws. 2024)
Conventional digital privacy is built on the premise that users are aware that their data may be collected and possess the right to choose. However, the underlying operational design of the Clearview AI system is fundamentally flawed. This is not a data breach caused by hacking or legal collection of facial information, but a system created specifically for the mass scraping of facial data. According to Nissenbaum’s theory of contextual integrity: posting a photo on Instagram constitutes sharing within a specific social context, not authorizing anyone to permanently store one’s face in a law enforcement database. The purpose of the data use completely deviates from the context in which you originally posted it. The Clearview AI system directly skips the step of seeking permission; it scrapes your facial data before you have the opportunity to make a choice, and you remain unaware of when your data was collected and stored in the database. It can also be argued that you never had the right to say “no” from the very beginning. This violates relevant regulations governing internet and personal privacy protection, and constitutes a disregard and infringement of every citizen’s right to consent. Using a platform itself implies acceptance of all rules set by the platform, and platform decisions are always final and binding (Suzor, N. P. 2019). “Informed consent” has become increasingly difficult to establish in the era of digital platforms, and Clearview AI represents the most extreme example, as it completely bypasses the prerequisite of consent.
Nevertheless, Clearview AI has consistently maintained the legality of its actions in the face of accusations and penalties from multiple countries. Terms of service are never designed to protect users; their existence serves to safeguard the company’s own legal interests (Suzor, N. P. 2019). The company has repeatedly stated that its facial recognition system only scrapes “publicly available data” from the internet, including images on social media and other websites, rather than any restricted or private sources of information (Hill, 2020). Legally, Clearview AI even claims that such practices fall within the scope of freedom of information. Furthermore, in response to heavy fines imposed by Europe, it has argued that it has no business operations or customers in Europe, thus claiming that the constraints of the General Data Protection Regulation do not apply to it and that no penalties can be enforced (Vincent, 2024). This response reflects a blurred boundary in digital privacy protection: does the accessibility of data equate to the right to use it? The company continues to exploit loopholes in gray areas such as user awareness and consent to the secondary use of their data, making it difficult for traditional consent-based privacy protection mechanisms to function in such technological practices.
Why Is Biometric Data More Dangerous Than Ordinary Privacy Concerns?
Why are we discussing the unique nature of facial biometric data? To what extent does its existence threaten our daily lives and personal privacy? Imagine walking into a coffee shop or going shopping at a mall—you’ll notice that facial recognition and payment systems are increasingly being used in various commercial settings. These systems not only verify your identity but also simultaneously reveal your entire purchase history, preferences, and creditworthiness. A vast amount of existing information is already stored in digital form, and the data generated by new digital platforms is permeating every aspect of our daily lives, private spaces, and public domains (Goggin et al., 2017). Behind this data exposure lies the potential for a series of marketing traps tailored specifically to you; before you know it, you have become a cog in the wheel of personal data commercialization.
At the same time, our daily lives are filled with password requirements—for bank accounts, social media platforms, email accounts, and more. Even if these credentials are compromised, email addresses and accounts can be changed, and you can reset passwords or request platform-wide account locks. But your face is the one irreplaceable and immutable identifier you carry for life that is irreversible and accompanies you for life. In 2023, a piece of malware called GoldPickaxe specifically targeted facial recognition systems. Hackers stole facial data to create deepfakes, which they used to deceive banking systems and steal user accounts. These cases also illustrate that your face is not merely being collected and stored; there is a high probability that it will be replicated and impersonated—and you cannot change your own face.
Once a person’s facial features are collected into the Clearview database, there is no way for the individual to delete or reverse it. It is different from the general record collection of platforms or apps. Facial data is permanently bound to the individual and is always a time bomb for others to obtain all of your information. Article 12 of the Universal Declaration of Human Rights clearly states that privacy is generally regarded as a basic human right and is also a fundamental condition for maintaining individual autonomy and personal dignity. (United Nations, 1948) This is not just a problem of data privacy infringement, but a permanent deprivation of an individual’s right to control their own identity. When a person’s facial data is permanently stored and tracked, what is damaged is not only their privacy rights at the information level, but also their basic control ability over their own identity as a subject (Digital Freedom Fund, 2020). A survey on consumers’ privacy attitudes shows that the public’s trust in how companies handle personal data is generally low, especially when it comes to sensitive information such as biometric data, this distrust is even more pronounced (Cisco, 2023). Data shows that people are beginning to feel panicked and suspicious about this matter, but after the collapse of trust, no official has come out to guarantee the safety of the public’s biometric data, nor have they told them what to do next to avoid it as much as possible.
Why can’t the law keep up with it?
Legally speaking, there have always been regulatory efforts, but the existing relevant laws are outdated and insufficient. The harsh reality is that Clearview has yet to pay most of the fines and has not deleted the data; the database is still operational (Solomon., 2025, November 17). The current privacy laws are based on the assumption that companies will first ask for your consent before collecting your data, and you voluntarily register accounts, fill in information, and check the consent form. This approach was reasonable in the past. “Informed consent” simply does not work here. Even more seriously, even the GDPR, which is currently regarded as the strongest privacy protection law, is still fundamentally designed for passive defense. It only intervenes and imposes penalties after a violation occurs. For automated large-scale data collection like Clearview, by the time passive intervention takes place, the damage is already irreparable. Your face has been invisibly used in the database for years, and the data circulation and losses caused over these years cannot be compensated by any legal retroactive mechanism. This reveals a deeper structural problem: current laws protect the “act of data collection” but lack the ability to protect the “state of data existing in the world” (Flew, 2021).
The failure of cross-border enforcement is another fundamental reason in this case. EU data protection authorities have no power to seize assets or enforce fines in the United States, and the US does not recognise foreign penalties as legally binding on its own soil. Fines, therefore, are nothing more than symbolic warnings, and the company continues to operate by exploiting this gap. Clearview’s response strategy is equally calculated: it quietly builds a user base and cultivates dependency among government clients, then leverages that indispensability as a shield against regulation. Once law enforcement and intelligence agencies become reliant on Clearview’s services, regulators find it nearly impossible to truly “shut it down” (Burgess, T., 2024). This means that the very institutions of power have, in a sense, entered into a relationship of mutual dependency with it — and in doing so, have become a protective layer against the regulation they are meant to enforce. What Clearview has found is not a loophole, but a boundary that the existing privacy framework never anticipated from the moment of its design: a business model that acts first, gets discovered, gets fined, and keeps running — one that is, under the current legal framework, virtually unassailable.
Conclusion
The Clearview AI case is only the tip of the iceberg in today’s complex internet landscape, and beneath it lies a deepening contradiction between a rapidly advancing technological society and an increasingly outdated legal system. When biometric data can be harvested, stored, and permanently used without any individual ever knowing, traditional privacy protection frameworks can no longer offer ordinary citizens any meaningful guarantee. As Goggin et al. noted in their survey of digital rights in Australia, “data tracking, collection and trading” has made “activating privacy rights often very difficult” (Goggin et al., 2017, p. 9). Clearview AI’s business model has only made this an even more serious problem. This is a gap that urgently needs to be addressed: technology advances at a relentless pace, while legal reform always lags one step behind. What is needed is a fundamental reconstruction of the logic behind privacy protection — shifting focus away from after-the-fact punishment, and toward the consideration of human rights at the very moment a technology is built. Privacy is a fundamental right that every citizen is born with, and it should not have to be defended in such a difficult way. This also forces us, in every act of sharing that follows, to repeatedly ask ourselves: has the photo we posted today already been used somewhere beyond our knowledge?
References
Burgess, T. (2024, October 23). Clearview AI’s massive fine for GDPR violations — and what it means. Barracuda Networks. https://blog.barracuda.com/2024/10/23/clearview-ai-fine-gdpr-violations
Cisco. (2023). Cisco consumer privacy survey 2023. https://www.cisco.com/c/en/us/about/trust-center/data-privacy-benchmark-study.html
Digital Freedom Fund. (2020). Article 12: The right to privacy. https://digitalfreedomfund.org/digital-rights-are-human-rights/article-12-the-right-to-privacy/
Flew, T. (2021). Regulating Platforms. John Wiley & Sons. ISBN:9781800887206
Goggin, G., Vromen, A., Weatherall, K., Martin, F., Webb, A., Sunman, L., & Bailo, F. (2017). Digital rights in Australia. University of Sydney. http://hdl.handle.net/2123/17587
Hill, K. (2020, January 18). The secretive company that might end privacy as we know it. The New York Times. https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html
Karp, P. (2024, August 21). Privacy regulator drops pursuit of Clearview AI over use of Australians’ images in facial recognition tech. The Guardian. https://www.theguardian.com/technology/article/2024/aug/21/privacy-regulator-drops-pursuit-of-clearview-ai-over-use-of-australians-images-in-facial-recognition-tech-ntwnfb
Privacy Laws. (2024, September 6). Netherlands DPA fines Clearview AI €30.5 million and may impose penalties on directors personally. https://www.privacylaws.com/news/netherlands-dpa-fines-clearview-ai-30-5-million-and-may-impose-penalties-on-directors-personally/
Solomon. (2025, November 17). How a shady US AI company dodged fines and defied regulators across Europe. https://wearesolomon.com/mag/format/investigation/clearview-how-a-shady-us-ai-company-dodged-fines-and-defied-regulators-across-europe/
Suzor, N. P. (2019). Lawless: The secret rules that govern our lives. Cambridge University Press.
United Nations. (1948). Universal Declaration of Human Rights. https://www.un.org/en/udhrbook/mobile.shtml
Vincent, J. (2024, September 3). Dutch regulator fines Clearview AI €30.5 million for illegal facial recognition database. The Verge. https://www.theverge.com/2024/9/3/24234879/dutch-regulator-gdpr-clearview-ai-fine
Be the first to comment