On October 20, 2022, the French data protection agency, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a € 20 million penalty on Clearview AI, ordering the company to cease collecting data on consumers in France and to delete the data already collected.
Clearview AI is a facial recognition company headquartered in New York. The company collects publically available photographs from the internet, and then applies facial recognition technology to collate the photographs, creating a biometric identity for thousands of individuals who are unaware of the company’s processing or use of their images. Clearview then sells the data to governments, law enforcement agencies, financial institutions, transportation networks and commercial enterprises.
After receiving complaints about Clearview, in November 2021 the CNIL issued a notice to the company, requesting that it stop collecting and using data of persons residing in France without a legal basis for doing so, and that it comply with requests to delete data already collected. In the November 2021 notice, the CNIL identified breaches of Articles 6, 12, 15 and 17 of the General Data Protection Regulation (GDPR). Article 6 sets out the alternative legal bases for processing personal data. These include contractual or specific consent, legal obligations, protection of vital interests, the public interest, or legitimate interests not otherwise overridden by the fundamental rights or freedoms of the data subject. The CNIL’s notice asserted that Clearview AI had no legitimate interest in collecting and using the data, and demanded that the company cease this activity. Articles 12 through 23 enumerate the rights of the data subject. These include clear channels of communication, the right to access, and the right to erasure.
Clearview did not comply with the CNIL’s notice, and did not respond to the CNIL. The agency therefore referred the case to the CNIL restricted committee responsible for issuing sanctions. Finding that the violations described in the November 2021 notice had not been remedied, and that Clearview had collected over 20 billion images worldwide and persisted in processing the data, the CNIL committee imposed the maximum financial penalty allowed under Article 83 of the GDPR – € 20 million. The CNIL also found that Clearview had violated its obligation to cooperate in the investigation pursuant to Article 31 of the GDPR. Clearview has two months to stop collecting and processing the data of individuals residing in France, and to delete the data it has already collected. If the company does not comply, an additional penalty of € 100,000 per day will be applied.
Clearview has been the subject of investigations and enforcement actions by several national data protection agencies:
- in June 2022, the UK Information Commissioner’s Office imposed a £7,552,800 penalty on the company;
- in March 2022, the Italian Garante per la protezione dei dati personali imposed a € 20 million fine on Clearview, and;
- in July 2022, the Hellenic Data Protection Authority in Greece imposed a € 20 million penalty on the company for violations of the principles of lawfulness and transparency embodied in Article 5 of the GDPR, as well as violations of the company’s obligations under Articles 12, 14, 15 and 27 of the statute;
- in February 2021, a report by the Office of the Privacy Commissioner of Canada found Clearview to be in violation of Canadian privacy law, and in December 2021 the OPCC announced a legally binding order that Clearview comply with the commissioner’s recommendations to stop collecting and sharing images, and;
- in November 2021, the Office of the Australian Information Commissioner found that Clearview had breached Australian privacy law by scraping citizens’ biometric information and disclosing it through the company’s facial recognition tool. The agency issued a declaration requiring Clearview to cease collecting images from individuals in Australia, and to destroy images previously collected.