The French Data Protection Authority, Commission Nationale de L’Informatique et des Libertés (CNIL), has issued a fine of €20 million against Clearview AI (hereafter Clearview), a company that now claims to have more than 30 billion images used for facial recognition. Clearview collects photos from all sorts of directly accessible websites, social media platforms and videos to improve its database and provide facial recognition services. Here, we explain further how Clearview collects images and how its AI software works.
Fined by the CNIL
The French authority established that the processing carried out by Clearview resulted in serious breaches of the GDPR and risks to the fundamental rights of the data subjects. These are the main breaches leading to the €20 million fine:
The processing was unlawful. According to the CNIL, the processing by Clearview’s facial recognition software lacks a legal basis since the company does not collect consent to use photos. Additionally, the authority considers that the legitimate interest of Clearview is not applicable since individuals do not reasonably expect their images to be processed by the company to supply facial recognition services.
Hindrance of data subjects’ rights. Data subjects complained to the CNIL about difficulties experienced exercising their rights. For instance, the right of access was limited to data collected in the last twelve months preceding the request and limiting the exercise of the right to two requests yearly without justification. The CNIL concluded that Clearview breached the GDPR and ordered it to facilitate the exercise of data subjects’ rights and grant requests for erasure.
Unwillingness to cooperate with the Data Protection Authority. The CNIL considered that Clearview was uncooperative, did not provide any response to the formal notice of the investigation that led to the fine, and only partially replied to the investigation form sent by the authority.
Clearview ordered to delete personal data
The CNIL ordered Clearview to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data collected unlawfully. The authority gave Clearview two months to comply with the order and a penalty of €100,000 per day of delay after this period.
Similar breaches of the GDPR led to fines by other data protection authorities (here we reviewed the fine by the Information Commissioner’s Office) and, in total, Clearview has been fined over €69 million by European data protection authorities.
If you need advice on implementing new technologies or processing special categories of personal data (e.g., genetic data, biometric data, health data, etc.) on a large scale, we are at your disposal and can be reached through our contact form.