On 20 October 2022, the French Data Protection Agency – CNIL, imposed a €20 million fine on Clearview AI over their facial recognition technology.
Following the formal notice that went unaddressed, the CNIL issued a maximal fine and ordered Clearview AI to cease all collection and usage of personal data on individuals in France without the proper legal basis and to delete the data already in use within a period of two months.
If fail to do so, Clearview AI could face additional penalties of €100,000 per day of delay following two months after the decision.
Clearview AI’s facial recognition
Clearview AI provides an intelligence platform powered by facial recognition technology that includes a facial network of 30+ billion facial images sourced from the public internet, public social media, videos available online on all platforms, and other open sources.
Essentially, the company builds a biometric template, a digital representation of a person’s physical characteristics, in this case, face, allowing access to an image database through a search engine in which a person can be searched using a photograph.
The company offers this service to law enforcement authorities in order to identify perpetrators or victims of crime. However, the vast majority of people whose images are collected into the search engine are unaware of this processing.
CNIL’s investigation
Back in May 2020, the CNIL received complaints from individuals regarding Clearview AI’s facial recognition platform concerning the difficulties they encountered when trying to exercise their rights of access or their right of erasure.
The following year, the association Privacy International also warned the CNIL about this practice, which ultimately led to the opening of an investigation.
CNIL’s investigation uncovered violations of Articles 6, 12, 15, 17, and 31 of the General Data Protection Regulation (GDPR) regarding the unlawful processing of personal data since the data was collected and used without proper legal basis and violation of the rights of individuals, especially their right to access.
On 26 November 2021, the CNIL issued CLEARVIEW AI formal notice, giving Clearview AI two months to cease the collection and use of data of persons on French territory in the absence of a legal basis, to facilitate the exercise of individuals’ rights and to comply with requests for erasure. However, Clearview AI did not provide any response.
Unlawful processing of personal data
The investigation revealed that Clearview AI’s facial recognition software uses a collection of images containing faces that are used for commercial purposes, including the provision of data to law enforcement agencies in the US, without consent from persons whose personal data had been processed, nor legitimate interest in collecting and using that data.
CNIL specifically addressed the intrusive and massive nature of the process, which collects images of millions of individuals in France who do not reasonably expect their images to be processed by the company to supply a facial recognition system used by States for law enforcement purposes.
Violation of individual’s rights
As mentioned in the complaints addressed to CNIL back in 2020, the investigation confirmed that Clearview AI does not facilitate the exercise of the data subject’s right of access.
Clearview AI limited the exercise of the right to access data to data collected only in the past twelve months preceding the request, restricting the exercise of this right to twice a year, and responding to certain requests only after an excessive number of requests from the same person.
The company also provided partial responses and did not respond effectively to the right to erasure.
Lack of cooperation
CNIL also addressed Clearview AI’s violation of Article 31 by failing to cooperate with the data protection authority since the company provided only partial responses to the investigation form.
The most evident lack of cooperation was the lack of any response to the formal notice that was issued on November 26, 2021, giving Clearview AI two months to cease the collection and use of personal data.
CNIL’s fine
Taking into consideration serious risks to the fundamental rights of individuals, the massive nature of the processing, and the lack of cooperation with the data protection authority, CNIL fined Clearview AI issuing a maximal fine of €20 million and a penalty of €100,000 per day of delay following two months after the decision.
CNIL also issued an order to Clearview AI to stop the processing and collection of personal data of individuals in French territory and to delete personal data that has been collected without a proper legal basis.
