Controversial facial recognition company Clearview AI, which has amassed a database of some 10 billion images by removing selfies from the Internet so it can sell an identity matching service to law enforcement, has received another injunction to delete personal data.
The French privacy watchdog said today that Clearview violated the European General Data Protection Regulation (GDPR).
In an announcement of the statement of offense, the CNIL also gives Clearview formal notice to stop its “illegal processing” and specifies that it must delete user data within two months.
The watchdog acts on complaints against Clearview received since May 2020.
The US company does not have an established base in the EU, which means its business is open to regulatory action across the EU, by one of the bloc’s data protection supervisors. Thus, while the CNIL ordinance only applies to the data it holds on people in French territories – which, according to estimates, cover “several” tens of millions of Internet users – such orders are more likely from other EU agencies.
The CNIL notes that it has sought to work with other authorities by sharing the results of its investigations – which suggests that Clearview is likely to face further injunctions to stop processing data from authorities in other states members of the EU and EEA countries that have transposed the GDPR into national standards. law (around thirty countries in total).
This year, Clearview’s service has already been found to be in breach of privacy rules in Canada, Australia and the UK (which after Brexit is outside the EU but keeps the GDPR in national law for now) – where it faces a possible fine and has also been ordered to delete user data last month.
Two breaches of the GDPR
The French CNIL found that Clearview had committed two breaches of the GDPR: a violation of Article 6 (lawfulness of processing) by collecting and using biometric data without a legal basis; and infringing various data access rights set out in Articles 12, 15 and 17.
The violation of Article 6 is due to the fact that Clearview does not obtain the consent of individuals to use their facial biometrics, nor can it rely on a legal basis of legitimate interest to collect and use this data. – taking into account what the CNIL describes as massive and “particularly intrusive”. nature of the processing it performs.
“These people, whose photographs or videos are accessible on various websites and social networks, would not reasonably expect their images to be processed by [Clearview AI] feed a facial recognition system usable by states [such as for] for police purposes, ”writes the CNIL.
It has also received complaints from individuals regarding a number of “difficulties” encountered in attempting to obtain their rights to access GDPR data.
Here, the CNIL found that Clearview violates the regulations in several ways – for example by limiting the rights of access to data of individuals to twice a year “without justification”; or by limiting it to data collected during the last 12 months; or respond to certain requests only after “an excessive number of requests from the same person”.
Clearview has been ordered to ensure that it properly facilitates the rights of data subjects, including complying with requests for deletion of personal data.
If the company does not comply with the French ordinance, the CNIL warns that it could face other regulatory measures, which would include the possibility of a fine.
Under GDPR, DPAs can impose fines of up to € 20 million or up to 4% of a company’s annual worldwide revenue, whichever is greater. However, imposing fines on companies without a presence in the EU presents a regulatory challenge.
Clearview was contacted to comment on the CNIL order.