Facial image aggregator Clearview AI was fined 20 million euros (U.S. $22 million) for unlawfully processing the biometric and geolocation data of Italian citizens.

The decision, announced by the Italian data protection authority (Garante) on Wednesday, cited violations of the European Union’s General Data Protection Regulation (GDPR), including with regard to transparency, purpose limitation, and storage limitation. Garante ordered Clearview AI to delete data it has relating to individuals in Italy and designate a representative in the European Union to facilitate data subject access requests.

Clearview AI’s app allows users to upload an image of an individual’s face and match it to photos of that person’s face collected from the internet. It then links to where the photos appeared. The system is reported to include a database of more than 10 billion images that Clearview AI claims to have taken from various social media platforms and other websites where the information is publicly available.

Garante is one of several EU data protection authorities to take issue with the way the U.S.-based company does business. In November, the Information Commissioner’s Office in the United Kingdom warned Clearview AI of a potential 17 million pound (U.S. $22.3 million) fine over concerns the firm was processing the information of U.K. citizens without their knowledge. The CNIL in France ordered Clearview AI to cease the collection and use of data of persons in French territory in December, also warning of the potential for a fine.

The Office of the Australian Information Commissioner has also found Clearview AI in breach of the country’s privacy laws.

In Italy, Garante found “the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis—since the legitimate interest of the U.S.-based company does not qualify as such.” Clearview AI did not adequately inform Italian citizens their data was being collected, processed user data for purposes other than what was made available online, and did not set a limit on data storage, according to the regulator.

In response to the fine, Clearview AI Chief Executive Hoan Ton-That maintained the company “does not have a place of business in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.”

“We only collect public data from the open internet and comply with all standards of privacy and law,” he said in an emailed statement. “I am heartbroken by the misinterpretation by some in Italy, where we do no business, of Clearview AI’s technology to society.”