Facial recognition: 20 million euros penalty against CLEARVIEW AI
Following a formal notice which remained unaddressed, the CNIL imposed a penalty of 20 million euros and ordered CLEARVIEW AI to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected.
How does the CLEARVIEW AI’s facial recognition service works?
CLEARVIEW AI collects photographs from many websites, including social media. It collects all the photographs that are directly accessible on these networks (i.e. that can be viewed without logging in to an account). Images are also extracted from videos available online on all platforms.
Thus, the company has collected over 20 billion images worldwide.
Thanks to this collection, the company markets access to its image database in the form of a search engine in which a person can be searched using a photograph. The company offers this service to law enforcement authorities in order to identify perpetrators or victims of crime.
Facial recognition technology is used to query the search engine and find a person based on their photograph. In order to do so, the company builds a "biometric template", i.e. a digital representation of a person's physical characteristics (the face in this case). These biometric data are particularly sensitive, especially because they are linked to our physical identity (what we are) and enable us to identify ourselves in a unique way.
The vast majority of people whose images are collected into the search engine are unaware of this feature.
The CNIL’s investigations and decision
As of May 2020, the CNIL received complaints from individuals about Clearview AI's facial recognition software and opened an investigation. In May 2021, the association Privacy International also warned the CNIL about this practice.
During this procedure, the CNIL cooperated with its European counterparts in order to share the results of the investigations, each authority being competent to act on its own territory because CLEARVIEW AI's has no establishment in Europe.
The investigations carried out by the CNIL revealed several breaches of the RGPD:
- unlawful processing of personal data (breach of article 6 of the GDPR) because the collection and use of biometric data are carried out without a legal basis;
- the failure to take into account the rights of individuals in a effective and satisfactory way, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).
On 26 November 2021, the Chair of the CNIL decided to give CLEARVIEW AI formal notice to :
- cease the collection and use of data of persons on French territory in the absence of a legal basis;
- facilitate the exercise of individuals' rights and to comply with requests for erasure.
CLEARVIEW AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice. The Chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions.
On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.
Regarding the very serious risks to the fundamental rights of the data subjects resulting from the processing carried out by the company, the restricted committee decided to order CLEARVIEW AI to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months. The restricted committee added to this injunction a penalty of 100,000 euros per day of delay beyond these two months.
Details of the identified breaches
Unlawful processing of personal data (breach of article 6 of the GDPR)
In order to be lawful, a processing of personal data must be based on one of the legal basis referred to in article 6 of the GDPR. The Clearview AI's facial recognition software, which does not comply with this rule, is therefore unlawful.
Indeed, this company does not obtain the consent of the persons concerned to collect and use their photographs to supply its software.
Clearview AI does not have a legitimate interest in collecting and using this data either, particularly given the intrusive and massive nature of the process, which makes it possible to retrieve the images present on Internet of the millions of Internet users in France. These people, whose photographs or videos are accessible on various websites, including social media, do not reasonably expect their images to be processed by the company to supply a facial recognition system that could be used by States for law enforcement purposes.
The seriousness of this breach led the CNIL restricted committee to order Clearview AI to cease, as long as it lacks a legal basis, the collection and use of data from people on French territory, in the context of the operation of the facial recognition software it markets.
Individuals' rights not respected (articles 12, 15 and 17 of the GDPR)
The complaints received by the CNIL revealed the difficulties encountered by complainants in exercising their rights with Clearview AI.
On the one hand, the company does not facilitate the exercise of the data subject's right of access:
- by limiting the exercise of this right to data collected during the twelve months preceding the request;
- by restricting the exercise of this right to twice a year, without justification;
- by only responding to certain requests after an excessive number of requests from the same person.
On the other hand, the company does not respond effectively to requests for access and erasure. It provides partial responses or does not respond at all to requests.
The company, which breaches the GDPR, is therefore ordered to:
- facilitate the exercise of the data subjects' rights;
- grant requests for erasure.
Lack of cooperation with the CNIL (Article 31 of the RGPD)
Throughout the procedure, CLEARVIEW AI failed to cooperate with the CNIL. Indeed, the company only replied very partially to the investigation form that was sent to it and did not provide any response to the formal notice issued by the Chair of the CNIL on 26 November 2021.
The restricted committee therefore also found a breach of the obligation to cooperate with the CNIL services.