May 12, 2023

France imposes overdue GDPR penalty payment of €5.2 million upon Clearview AI

On May 10, 2023, the French data protection agency, the Commmission Nationale de l’Informatique et des Libertés (“CNIL”), announced that it imposed an overdue penalty payment upon Clearview AI, a New York-based facial recognition company accused of applying facial recognition technology to billions of photographs collected from public websites and social media platforms without the individual’s knowledge or consent.  Clearview is also accused of selling access to its database of images to law enforcement authorities.  On October 20, 2022, the CNIL restricted committee – the body responsible for issuing sanctions – imposed a maximum fine of €20 million upon Clearview and ordered the company to cease the collection of images from consumers in France and delete the data already collected.  The fine was imposed after the CNIL determined that the company’s collection practices breached Articles 6, 12, 15, and 17 of the General Data Protection Regulation (“GDPR”).  The restricted committee gave Clearview two months to comply with the order or pay a penalty of €100,000 per day overdue.  After Clearview failed to pay the fine or provide proof of compliance within the required timeframe, on April 13, 2022, the restricted committee imposed an additional overdue payment penalty upon the company in the amount of €5.2 million.

Clearview has been investigated and fined by several data protection authorities around the world.  In June 2022, the UK Information Commission’s Office (“ICO”) issued a £7.5 million fine against Clearview after a joint investigation by the ICO and the Office of Australian Information Commission found that the Clearview’s data collection practices infringed upon the UK GDPR.  The ICO also ordered Clearview to delete the personal data of UK residents from it database and refrain from offering its database services to UK customers.  In March 2022, the Italian Garate per la Protezione dei Dati Personali (the Guarantor for the Protection of Personal Data) imposed a €20 million fine against Clearview for violating the GDPR after its investigation uncovered unlawful data collection practices, including the alleged tracking of Italian citizens and people located in Italy.  In addition to the fine, the Guarantor ordered Clearview to delete the data collected from persons in Italy and prohibited the collection and processing of images through its facial recognition program.  In May 2022, Clearview was also banned from selling access to it facial recognition data “across the US” as the result of a settlement reached with the American Civil Liberties Union.

CNIL Press Release | Deliberations of the CNIL Restricted Committee