The facial recognition firm Clearview AI, which hit the headlines earlier this year for committing several GDPR (General Data Protection Regulation) infractions, has just been given another fine.
Clearview was previously found to have used selfies and other personal data without people’s consent, which it used as part of an AI-powered identity-matching service.
The organisation collected more than 20 billion images of people’s faces, alongside information from publicly available sources online, such as social media platforms. Investigations from data protection authorities in the UK, Greece, Italy and France all revealed that Clearview AI breached the GDPR.
Specifically, it was deemed to have unlawfully processed personal data (violating Article 6) and to not respect individuals’ rights (Articles 12, 15 and 17).
In most cases, that would be the end of the story. The Greek and Italian data protection authorities both issued €20 million fines, the UK’s ICO (Information Commissioner’s Office) issued a surprisingly lenient €9 million penalty, and France’s CNIL was even more tolerant, issuing only enforcement action.
It ordered Clearview to rectify its data collection practices by properly facilitating data subjects’ rights – including requests to remove people’s personal data. If Clearview failed to comply with this order, the CNIL warned, it could face further regulatory action and the possibility of a fine.
Given that four separate regulatory bodies found that Clearview’s practices breached the GDPR, you would think this would be a wake-up call for the firm to review its data protection practices.
The organisation chose to ignore the CNIL’s order (as well as the fines from other bodies), adding a third breach to its earlier tally: lack of cooperation with the data protection authority (Article 31 of the GDPR).
In a recent press release, the CNIL wrote: “Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice.
“The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.”
What was Clearview thinking?
Following the CNIL’s decision, Clearview’s PR agency sent the following statement, attributed to CEO Hoan Ton-That:
“There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.”
The statement goes on to say that Clearview doesn’t have a place of business in France or in the EU. Moreover, it doesn’t conduct any activities that would “otherwise mean it is subject to the GDPR”, adding: “Clearview AI’s database of publicly available images is lawfully collected, just like any other search engine like Google.”
This raises two issues. First, the statement explains why it disagrees with the CNIL’s decision but it doesn’t explain why it ignored the order.
The relatively short history of the GDPR has been littered with organisations that deny wrongdoing after receiving a fine, and their next course of action is to appeal the decision.
In many cases this is somewhat successful, with the fine either being reduced or entering a protracted legal battle that delays the inevitable and gives the organisation time to adjust its finances to prepare for the penalty.
If Clearview believed that it wasn’t subject to the GDPR, it should have defended its position in an official manner rather than ignoring to the request.
Nonetheless, this is a moot point given that an appeal almost certainly wouldn’t have helped Clearwater. Its reasoning for why it isn’t subject to the GDPR is based on a flawed understanding of the Regulation’s regulatory scope.
Why Clearwater is subject to the GDPR
During the ongoing investigations into Clearwater – and again with Hon-That’s most recent statement – the organisation has made several claims as to why it is not subject to the GDPR.
Chief among them is that there is no way to determine whether the individuals whose personal information was collected are EU residents.
This may well be true, given that the organisation scrapes data off the Internet and doesn’t source it directly, but organisations can’t use ignorance to avoid their regulatory requirements. Clearview says it has collected over 20 billion images worldwide, so it can reasonably assume that a decent proportion of them are EU residents.
Moreover, the organisation works directly with law enforcement bodies in Europe, so it can reasonably assume that the information relates to EU residents.
An even more tenuous argument is Ton-That’s claim that it created its facial recognition tech with “the purpose of helping to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts”.
Again, this might be true, but the motive for collecting personal data has no bearing on the legal requirements for processing it.
In each case where Clearview has been sanctioned, it has taken the same approach, denying that it has committed any breach and refuting that the data protection authority has jurisdiction.
How these regulatory bodies proceed from here is unclear. The GDPR notionally gives them extraterritorial scope to issue fines to organisations based outside the EU (with Clearview being US-based), but forcing the organisation to pay up is another matter.
One option would be to go after the organisation’s supply chain, which is what Sweden’s data protection watchdog did last year. After investigating the country’s local police force for its use of personal data processed by Clearview, it issued a €250,000 fine for the unlawful use of personal data in relation to Sweden’s Criminal Data Act.
If EU organisations learn that using Clearview’s data will land them in regulatory trouble, it could effectively oust the organisation from the EU.
Whatever happens next, it demonstrates how much the GDPR is being misinterpreted more than five years after it came into effect. If you’re among those questioning whether you understand your compliance requirements, IT Governance can help you find an answer.
Our team of experts are on hand to help you with whatever issues you face – whether that’s uncertainty over whether certain practices are within the GDPR’s scope or the need for ongoing compliance support.