Clearview AI Slapped with Another €20 Million GDPR Penalty
The French Data Protection Authority, Commission Nationale de l’informatique et des Libertés (CNIL), has imposed the maximum possible financial penalty on Clearview AI for violations of the General Data Protection Regulation (GDPR).
Clearview AI is an American company that provides facial recognition technology to companies, universities, and law enforcement agencies. The company scrapes images and other personal data from the Internet from publicly available sources such as social media networks and video platforms such as YouTube, then feeds the images and data into its artificial intelligence algorithm to create biometric templates. The database of images is then marketed to customers who can use the database and algorithm as an image search engine. They can feed an image into the system and it will search the database and identify other images and data of the same person. For instance, law enforcement can use Clearview AI’s system to help identify individuals who are wanted for questioning in connection with crimes. The company has collected more than 20 billion images to date, the majority of which have been collected and processed without user consent.
Last year, CNIL issued Clearview AI with an order to stop unlawfully processing the data of French citizens and ordered the company to delete their data. Clearview AI was alleged to have engaged in the unlawful processing of personal data – in violation of Article 6 of the GDPR – as there was no legal basis for processing that data. CNIL also alleged that Clearview AI failed to take into account the rights of individuals in an effective and satisfactory way, including the rights of EU citizens to access their data and have it deleted, in violation of Articles 12, 15, and 17 of the GDPR.
Clearview AI was told it had two months to comply with the order and to justify the actions it took, but CNIL said Clearview AI failed to respond to the order. In addition to the above GDPR violations, the lack of cooperation with a Data Protection Authority was a violation of Article 31 of the GDPR. The lack of response saw CNIL refer the case to its restricted committee, which is responsible for imposing fines and sanctions for GDPR violations. After assessing the case, the restricted committee determined that the failure to even respond to the order warranted the maximum possible financial penalty.
Under the GDPR, organizations found to have violated the requirements of the GDPR can be fined up to €20 million ($19.66 million), or 4% of their annual turnover for the previous fiscal year. Clearview AI has an annual turnover of around $3.5 million (€3.56 million), so the maximum fine of €20 million applies.
Clearview AI has previously stated that it does not operate out of any locations in the EU and maintains that it is not subject to the GDPR. LakPR Group, the PR agency used by Clearview AI, issued a statement about the CNIL penalty stating, “There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.”
This is not the only GDPR fine to be imposed on Clearview AI for GDPR violations. Similar fines have been imposed by the Data Protection Authorities in Italy and Greece, which have also issued maximum penalties of €20 million. The UK has also imposed a penalty of £7.5 million (€8.64 million / $8.49 million) for similar reasons. To date, none of these penalties have been paid and Clearview AI continues with its business practices.
While the fines may be difficult to collect, they have sent a message that the collection and use of the data of EU citizens is prohibited. Data Protection Authorities may also target the violations in other ways, such as pursuing financial penalties against companies or law enforcement agencies that choose to use the services of Clearview AI,. That was the case in Sweden, where a local police authority was fined for unlawfully using Clearview AI’s services.