I've often said security doesn't matter anymore. There are no consequences for a security breach. With companies claiming "hey, we followed best practices!" and transferring liability to third parties like Crowdstrike I'm not even sure how one could even prosecute (in the US).

If you're in the EU, you should pressure your legislators to do something about it. As I understand it, there are laws against these data breaches for companies doing business in the EU, correct?

If that is the case & the law(s) aren't being properly followed/enforced then you must speak up about it. Contact your representatives and let them know.

I understand it's easy to be complacent and be apathetic that nothing is being done, but that's how it goes in a representative democracy. At the end of the day, all we have is our voice.

This is government. If you exceed the speed limit on the autobahn, you’ll be fined immediately. But if you run a multi million Euro fraud, you will get away with it for DECADES.

Why? Because they’ve got no systems in place for that. And to do something out of the ordinary that is hard would require someone with an incentive to do it. That does not fit the profile of your typical government employee. They don’t get paid for taking on difficult cases. They get paid for closing files, or, ideally, finding reasons for not even opening them in the first place.

Laws are like locks. The honest people pay attention to them. The criminals don’t. They look at the enforcement (or lack thereof).

I would assume their leadership simply never enter EU soil. Just like the CIA agents Italy has arrest warrants out for kidnapping Abu Omar, or how Kim Dotcom lived quite happily for a time by not going to the US or any country that would extradite him. It's pretty difficult to prosecute people on foreign soil without the kind of international cooperation that exists for prosecuting drug traffickers

> imprison leadership as they arrive on EU soil

I think that's the step that's being taken (or attempted at least) here.

> you imprison leadership as they arrive on EU soil

It's in the article, Austria might issue a criminal warrant for the company executives.

> I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law.

All the more when what Clearview has done is build an index of publicly available images, and associated URLs, derived from the freely-crawlable open web. Legal rulings in the US -- e.g., in Sorrell v. IMS Health -- consistently show that information aggregation and dissemination are treated as speech, so creating and distributing the Clearview index is protected expression under the First Amendment.

Also, Clearview is far from the only game in town. Lots of tech companies -- including some very large ones -- have facial recognition indexes. I suspect that Clearview is being made an example of, pour encourager les autres. But it seems a little bit exceptional, as though the law isn't being fairly or evenly applied.

Right, but they're scraping photos of people from the whole web, which of course includes photos of British and EU citizens.

So it's not just a normal American company in the American market, it wants to be an international company but without respecting international laws, and that's not going to end up well.

> I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law.

They are if they trade in the UK (which ClearView does).

The actual answer is for governments to just say clearly "You obey our laws when operating here or you don't operate here".

Instead they faff around with fines that are largely priced into doing business that get negotiated down endlessly.

The alternative is we allow them to operate with no way to constrain them when they break our laws at all and at that point - what use is government regulation on anything related to data protection.

I think the issue is that people are using personal information to train AI systems.

This is a threat personal integrity and it doesn't really matter how the images were obtained. The threat to people exists despite the fact that they were on the public internet.

Clearview doesn’t have to follow British law, and Britain doesn’t have to allow people associated with Clearview to exist freely on their territory.

This is little different from, say, Russian hackers targeting Americans. Practically speaking there’s nothing to be done unless the perps enter American jurisdiction, but it’s entirely sensible to say that they violated US law and face penalties for it. It might be a little off to say that they’re “dodging” that law, but it’s close enough.

If they do business in the EU they are obligated to follow EU laws, and if they have committed crimes they should be subject to arrest and extradition.

I know you're making a point about Ofcom censorship, and I agree, but we cannot set the precedent that "if you commit your crimes using a company in Delaware, they're not illegal." If you program your AI-drone to murder your enemies, that's fine as long as the control server is offshore?

Maybe so, but it's so much better than the US at this that it's not even funny.