Privacy & Information Security Law Blog

On October 17, 2022, the French Data Protection Authority (the “CNIL”) imposed a €20 million fine on Clearview AI for unlawful use of facial recognition technology. The fine was imposed after the CNIL’s prior formal notice remained unaddressed by Clearview AI.

Background

Clearview AI’s facial recognition technology collects publicly available pictures from online websites, including social media, and extracts images from videos available online. Clearview AI markets access to its image database, which consists of a search engine where a person can be searched by using a picture. The image database is offered as a service to law enforcement authorities to identify perpetrators or victims of crime. In order to allow the search of a specific person, Clearview AI creates a biometric template which consists of a digital representation of a person’s physical characteristics. Under the EU General Data Protection (the “GDPR”), biometric data qualifies as sensitive personal data and the processing thereof requires additional protection.

The CNIL had received complaints from individuals about Clearview AI’s facial recognition technology since May 2020 and opened an investigation during which it cooperated with other European data protection authorities under the GDPR’s cooperation mechanism (i.e., each local authority is competent to act on its own territory as Clearview AI is not established in the EU).

The CNIL’s investigation and decision

The CNIL’s investigation revealed the following:

• Clearview AI was processing sensitive data without a valid legal basis: Clearview was not collecting data subjects’ consent for the collection and use of their picture to supply Clearview AI’s software and could not rely on the legitimate interests legal basis, particularly in light of the intrusive character of the data collection and data subjects’ lack of awareness around the data collection; and
• Clearview AI had failed to facilitate the exercise of data subjects’ rights and to respond to requests in an effective and satisfactory manner, particularly access and erasure requests. 

In November 2021, the CNIL ordered Clearview AI to cease the collection and use of data of persons residing in France without a valid legal basis and to facilitate the exercise of data subjects’ rights and comply with such requests. Clearview AI did not provide any response to the CNIL’s formal notice.

In light of these infringements, Clearview AI’s lack of cooperation with the CNIL, and the “very serious risks to the fundamental rights of the data subjects resulting from the processing carried out by the company,” the CNIL decided to impose a maximum financial penalty of €20 million on Clearview AI, order Clearview AI to stop collecting and processing data of individuals residing in France and delete the data already collected within a period of two months. The CNIL also imposed a €100,000 penalty per day of delay beyond these two months. Read the CNIL’s decision (in French).