Skip to content 
AI Firm Fined Across Europe for GDPR Violations, Including Missing an EU Representative
Facial-recognition company Clearview AI has faced millions of euros in fines across Europe for violating GDPR. Among its breaches: failing to appoint an EU Representative as required under Article 27.
The AI Company at the Centre of a Privacy Storm
Clearview AI, a US-based facial-recognition technology company, has been investigated by multiple European data-protection authorities for scraping billions of images from social media to build its facial database.
Between 2021 and 2023, regulators in France, Italy, Greece, and the United Kingdom issued enforcement actions totalling more than €60 million in fines.
One of the specific findings in several of these decisions was that Clearview AI had no appointed GDPR Representative in the EU or the UK. This is a basic requirement for any non-European company processing European data.
“Clearview AI’s practices were incompatible with European privacy principles,” said the French Data Protection Authority (CNIL) when announcing its €20 million fine. “The company processed biometric data without a legal basis and failed to designate a representative in the European Union.”
What the Law Actually Says
Under Article 27 of the EU General Data Protection Regulation (GDPR), organisations outside Europe that handle EU residents’ personal data must appoint a local GDPR Representative.
That representative acts as a point of contact for both regulators and individuals in the EU who wish to exercise their data-protection rights.
Failing to appoint one is treated as a separate violation, even if no data breach has taken place.
In Clearview AI’s case, this gap was one of several reasons why European regulators concluded that the company was operating unlawfully within the EU.
Appoint Your GDPR Representative in the
EU and UK
Avoid fines and stay compliant with Article 27.
Specialist GDPR Representative services help organisations meet local contact requirements and maintain audit-ready compliance.
Why It Matters Beyond AI
Although Clearview AI’s technology is extreme in scope, the underlying issue applies to many other industries.
Any non-EU business that collects, analyses, or tracks data from European users is subject to the same rule. This includes software providers, mobile-app developers, e-commerce platforms, and marketing agencies.
Many global companies still overlook the GDPR Representative requirement because they assume compliance only applies to businesses physically located in Europe.
In practice, regulators look at where the users are, not where the company is based.
How GDPR Representation Works
Discover how Euverify connects your business with EU and UK regulators -fast, compliant, and transparent.
See how simple it is to appoint your GDPR Representative and meet Article 27 obligations.
Appoint Your GDPR Representative in the
EU and UK
Avoid fines and stay compliant with Article 27.
Specialist GDPR Representative services help organisations meet local contact requirements and maintain audit-ready compliance.
The Broader Enforcement Trend
According to DLA Piper’s GDPR Fines and Data Breach Survey 2025, regulators across Europe issued more than €1.2 billion in fines in 2024 alone.
The CMS Law Enforcement Tracker lists “technology and communications” among the top three sectors facing enforcement.
While facial-recognition firms have been a focus, privacy authorities have also investigated financial-tech platforms, ad-tech companies, and cloud-service providers that lacked an appointed EU contact.
Experts believe enforcement around Article 27 will continue to rise as regulators strengthen cooperation across borders.
“It’s not just about big tech anymore,” explains data-protection lawyer Sofia Marquez. “Authorities are looking at every company that processes EU data without a local representative. It’s one of the simplest obligations, yet one of the most frequently ignored.”
Lessons for Global Businesses
For organisations outside Europe, compliance with Article 27 is straightforward once the requirement is understood.
A designated EU and UK GDPR Representative:
• acts as the official contact for data-protection authorities,
• handles data-subject requests from EU users,
• maintains processing-activity records, and
• supports audit readiness if an investigation occurs.
By taking this step, companies show transparency and accountability — two principles at the heart of GDPR compliance.
Transparent GDPR Representative Pricing
Stay compliant without hidden costs. Euverify offers flat annual rates for full EU & UK representation - designed for startups to global enterprises.
The Takeaway
Clearview AI’s case serves as a reminder that GDPR’s reach is global.
Any business offering services to EU residents, or monitoring their behaviour online, must ensure it has a local representative in place.
Ignoring this obligation can be costly. Not just in fines, but in lost trust.
Ready to Appoint Your GDPR Representative?
Euverify helps global businesses stay compliant with full EU & UK representation.
Sources
Information in this article is based on enforcement decisions from the French CNIL, Italian Garante per la Protezione dei Dati Personali, Greek HDPA, UK ICO, the Dutch DPA’s public case database, the DLA Piper GDPR Fines and Data Breach Survey 2025, and analyses from the International Association of Privacy Professionals (IAPP) and CMS Law GDPR Enforcement Tracker.
How GDPR Representation Works
Discover how Euverify connects your business with EU and UK regulators -fast, compliant, and transparent.
See how simple it is to appoint your GDPR Representative and meet Article 27 obligations.
Transparent GDPR Representative Pricing
Stay compliant without hidden costs. Euverify offers flat annual rates for full EU & UK representation - designed for startups to global enterprises.
Share this article
Related News
