Controversial facial recognition company, Clearview AI, which has amassed a database of some 10 billion images by scraping selfies off the Internet so it can sell an identity-matching service to law enforcement, has been hit with another order to delete people's data.
France's privacy watchdog said today that Clearview has breached Europe's General Data Protection Regulation (GDPR).
In an announcement of the breach finding, the CNIL also gives Clearview formal notice to stop its "unlawful processing" and says it must delete user data within two months.
The watchdog is acting on complaints against Clearview received since May 2020.
The US company does not have an established base in the EU -- meaning its business is open to regulatory action across the EU, by any of the bloc's data protection supervisors. So while the CNIL's order only applies to data it holds on people from French territories -- which the CNIL estimates covers "several" tens of millions of Internet users -- more such orders are likely from other EU agencies.
CNIL notes that it has sought to work with fellow authorities by sharing the results of its investigations -- which suggests Clearview is likely to face further orders to stop processing data from authorities in the other EU Member States and EEA countries that have transposed the GDPR into national law (some 30 countries in all).
This year Clearview's service has already been ruled in breach of privacy rules in Canada, Australia and the UK (which, post-Brexit, sits outside the EU but retains the GDPR in national law for now) -- where it's facing a possible fine and was also ordered to delete user data last month.
Two breaches of the GDPR
France's CNIL found that Clearview committed two breaches of the GDPR -- violating Article 6 (the lawfulness of processing) by collecting and using biometric data without a legal basis; and breaching a variety of data access rights set out out in Articles 12, 15 and 17.
The Article 6 breach is because Clearview does not obtain consent from people to use their facial biometrics, nor can it rely on a legitimate interest legal basis for collecting and using this data either -- given what CNIL describes as the massive scale and "particularly intrusive" nature of the processing it's carrying out.
"These people, whose photographs or videos are accessible on various websites and social networks, would not reasonably expect their images to be processed by [Clearview AI] to feed a facial recognition system that can be used by states [such as for] police purposes," CNIL writes (translated from French).
It also received complaints from individual over a number of "difficulties" encountered in trying to obtain their GDPR data access rights.
Here CNIL found Clearview is breaching the regulation in a number of ways -- such as by limiting individual's data access rights to twice a year "without justification"; or limiting it to data collected during the preceding 12 months; or only responding to certain requests after "an excessive number of requests from the same person".
Clearview has been ordered to make sure it properly facilitates data subjects' rights, including complying with requests to delete people's data.
If the company does not comply with the French order CNIL warns it could face further regulatory action -- which would include the possibility of a fine.
Under GDPR, DPAs can issue fines as high as €20 million or up to 4% of a company's annual global revenue, whichever is higher. Enforcing fines on companies without an EU base does present a regulatory challenge, however.
Clearview has been contacted for comment on the CNIL's order.
Update: In a statement attributed to CEO and founder Hoan Ton-That, Clearview sought to suggest the company is not subject to the GDPR -- although the regulation is extraterritorial in scope, meaning it is applicable and (at least in theory) enforceable outside the EU's borders in instances when EU people's data has been processed in violation of the rules.
Here's Clearview's statement:
"Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.
"I grew up in Australia and have long viewed France as a world capitol of beauty and excellence. I have deep respect for the country and its people. I created the consequential facial recognition technology known the world over with the purpose of helping to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts. We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in France, where we do no business, of Clearview AI’s technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives."