Following a formal notice which remained unaddressed, the CNIL imposed a penalty of 20 million euros and ordered CLEARVIEW AI to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected.
How does the CLEARVIEW AI’s facial recognition service works?
CLEARVIEW AI collects photographs from many websites, including social media. It collects all the photographs that are directly accessible on these networks (i.e. that can be viewed without logging in to an account). Images are also extracted from videos available online on all platforms.
Thus, the company has collected over 20 billion images worldwide.
Thanks to this collection, the company markets access to its image database in the form of a search engine in which a person can be searched using a photograph. The company offers this service to law enforcement authorities in order to identify perpetrators or victims of crime.
Facial recognition technology is used to query the search engine and find a person based on their photograph. In order to do so, the company builds a “biometric template”, i.e. a digital representation of a person’s physical characteristics (the face in this case). These biometric data are particularly sensitive, especially because they are linked to our physical identity (what we are) and enable us to identify ourselves in a unique way.
The vast majority of people whose images are collected into the search engine are unaware of this feature.
The CNIL’s investigations and decision
As of May 2020, the CNIL received complaints from individuals about Clearview AI’s facial recognition software and opened an investigation. In May 2021, the association Privacy International also warned the CNIL about this practice.
During this procedure, the CNIL cooperated with its European counterparts in order to share the results of the investigations, each authority being competent to act on its own territory because CLEARVIEW AI’s has no establishment in Europe.
The investigations carried out by the CNIL revealed several breaches of the RGPD:
- unlawful processing of personal data (breach of article 6 of the GDPR) because the collection and use of biometric data are carried out without a legal basis;
- the failure to take into account the rights of individuals in a effective and satisfactory way, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).
On 26 November 2021, the Chair of the CNIL decided to give CLEARVIEW AI formal notice to :
- cease the collection and use of data of persons on French territory in the absence of a legal basis;
- facilitate the exercise of individuals’ rights and to comply with requests for erasure.
CLEARVIEW AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice. The Chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions.
On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.
Regarding the very serious risks to the fundamental rights of the data subjects resulting from the processing carried out by the company, the restricted committee decided to order CLEARVIEW AI to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months. The restricted committee added to this injunction a penalty of 100,000 euros per day of delay beyond these two months.
Details of the identified breaches…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…