Following complaints from NGOs, the French data protection authority (CNIL) fined Clearview AI €20 million in accordance with EU privacy rules and directed it to stop collecting data in France and delete any data that had already been obtained.
What is Clearview AI
The facial recognition system used by Clearview AI harvests images from online videos and gathers publicly available photos from social media and other sources. Access to Clearview AI’s image database is sold, and it includes a search engine where a person may be looked up using a photo. Law enforcement agencies can use the image database to find criminals or victims of crime as a service.
Clearview AI develops a biometric template, which is a digital representation of a person’s physical traits, to enable the search for a specific person. Biometric data is considered sensitive personal data under the EU General Data Protection Regulation (GDPR), and its processing calls for enhanced security.
Background
Since May 2020, the CNIL has received complaints from individuals over the facial recognition technology used by Clearview AI. As a result, CNIL launched an investigation and worked with other EU data protection authorities in accordance with the GDPR’s system for cooperation (i.e., each local authority is competent to act on its own territory as Clearview AI is not established in the EU).
The CNIL’s investigation discovered the following:
Due to Clearview AI’s failure to obtain data subjects’ consent for collecting and using their images and its inability to rely on the legal basis of legitimate interest – in light of the intrusive nature of the data collection and the lack of awareness on the part of the data subjects of the data collection – Clearview AI was processing sensitive data without a valid legal basis.
If you’d like more information, you can read CNIL’s official notice here →