Facial recognition: the CNIL orders CLEARVIEW AI to stop reusing photographs available on the Internet
CLEARVIEW AI has developed a facial recognition software whose database is based on the extraction of photographs and videos publicly available on the Internet. The CNIL chair has ordered the company to cease this illegal processing and to delete the data within two months.
As of May 2020, the CNIL received complaints from individuals about Clearview AI's facial recognition software and opened an investigation. In May 2021, the association Privacy International also warned the CNIL about this practice.
During the procedure, the CNIL cooperated with its European counterparts in order to share the results of the investigations, each authority being competent to act on its own territory because CLEARVIEW AI has no establishment in Europe.
The investigations carried out by the CNIL revealed two breaches of the GDPR:
- unlawful processing of personal data (breach of article 6 of the GDPR) because the collection and use of biometric data are carried out without a legal basis;
- the failure to take into account the rights of individuals in an effective and satisfactory way, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).
Therefore, the CNIL chair has decided to order CLEARVIEW AI to:
- cease the collection and use of data of persons on French territory in the absence of a legal basis;
- facilitate the exercise of individuals' rights and to comply with requests for erasure.
CLEARVIEW AI has a period of two months to comply with the injunctions formulated in the order and to justify its compliance to the CNIL. If it has not complied within the two month period, the CNIL chair may request the restricted committee to issue, if necessary, a sanction (including an administrative fine).
How does the CLEARVIEW AI's facial recognition service work?
CLEARVIEW AI collects photographs from many websites, including social media. It collects all the photographs that are directly accessible on these networks (i.e. that can be viewed without logging in to an account). Images are also extracted from videos available online on all platforms.
Thus, the company has collected over 10 billion images worldwide.
Thanks to this collection, the company markets access to its image database in the form of a search engine in which a person can be searched using a photograph. The company offers this service to law enforcement authorities in order to identify perpetrators or victims of crime.
Facial recognition technology is used to query the search engine and find a person based on their photograph. In order to do so, the company builds a "biometric template", i.e. a digital representation of a person's physical characteristics (the face in this case). These biometric data are particularly sensitive, especially because they are linked to our physical identity (what we are) and enable us to identify ourselves in a unique way.
The vast majority of people whose images are collected into the search engine are unaware of this feature.
Details of the identified breaches
Unlawful processing of personal data (breach of article 6 of the GDPR)
In order to be lawful, a processing of personal data must be based on one of the legal basis referred to in article 6 of the GDPR. The Clearview AI's facial recognition software, which does not comply with this rule, is therefore unlawful.
Indeed, this company does not obtain the consent of the persons concerned to collect and use their photographs to supply its software.
Clearview AI does not have a legitimate interest in collecting and using this data either, particularly given the intrusive and massive nature of the process, which makes it possible to retrieve the images present on the Internet of several tens of millions of Internet users in France. These people, whose photographs or videos are accessible on various websites, including social media, do not reasonably expect their images to be processed by the company to supply a facial recognition system that could be used by States for law enforcement purposes.
The seriousness of this breach led the CNIL chair to order Clearview AI to cease, for lack of a legal basis, the collection and use of data from people on French territory, in the context of the operation of the facial recognition software it markets.
Individuals' rights not respected (Articles 12, 15 and 17 of the GDPR)
The complaints received by the CNIL revealed the difficulties encountered by complainants in exercising their rights with Clearview AI.
On the one hand, the company does not facilitate the exercise of the data subject's right of access:
- by limiting the exercise of this right to data collected during the twelve months preceding the request;
- by restricting the exercise of this right to twice a year, without justification;
- by only responding to certain requests after an excessive number of requests from the same person.
On the other hand, the company does not respond effectively to requests for access and erasure. It provides partial responses or does not respond at all to requests.
The company, which breaches the GDPR, is therefore ordered to:
- facilitate the exercise of the data subjects' rights;
- grant requests for erasure.