Clearview AI, the US start-up that gained notoriety in recent years for a massive privacy breach after it scraped selfies from the internet and used people’s data to build a facial recognition tool that it pitched to law enforcement and others, is fined again in France for non-cooperation with the data protection regulator.
The overdue penalty of €5.2 million was issued by France’s regulator, the CNIL – on top of a €20 million sanction imposed on the company last year for violating regional privacy rules.
The General Data Protection Regulation (GDPR) of the European Union contains conditions for the lawful processing of personal data. Clearview has been found to have breached a number of legal requirements – by the French CNIL and several other regional data protection authorities, including authorities in the UK, Italy and Greece, resulting in fines totaling several tens of millions to date.
Whether Clearview will ever pay any of these fines remains an open question, as the US-based company does not cooperate with EU regulators.
In a press release today the CNIL said Clearview has failed to comply with the order it issued last October – when it imposed the maximum possible fine (€20 million) for three types of GDPR breaches.
That 2022 order followed an earlier finding, in December 2021, when – after investigating complaints – the CNIL decided that Clearview had breached the GDPR by unlawfully processing several tens of millions of citizens’ data; and not granting access rights to the local population.
It was Clearview’s failure to comply with the CNIL’s December 2021 order that led to the French watchdog adding a third infringement finding to its list in October 2022 – lack of cooperation with the regulator – and imposing the highest fine possible under the GDPR. (The regulation allows fines of up to 4% of global annual turnover or €20 million, whichever is higher.)
The CNIL’s order also directed Clearview not to collect and process data about individuals who are in France without a proper legal basis; and to delete data of individuals whose information it has unlawfully processed, after any outstanding data access requests have been fulfilled.
At the time, the CNIL committee responsible for issuing sanctions gave Clearview a two-month deadline to comply with the order – with the threat of further fines if it failed to do so (at a cost of €100,000 per day overdue).
It’s safe to say that the arguably unwilling US company has once again failed to play the ball – hence the latest CNIL fine, which appears to bill Clearview for 52 days of non-compliance.
“Clearview AI had two months to comply with the order and justify compliance to the CNIL. However, the company has not sent any proof of compliance within this period,” the regulator writes. “The select committee ruled on April 13, 2023 that the company had not complied with the order and therefore imposed an overdue penalty of €5,200,000 on Clearview AI.”
We have contacted the CNIL with questions.
Clearview was also contacted for comment. Her PR firm, the LAKPR Group, responded with her (now) usual denial that EU law applies to her company:
Clearview AI is not located in France or the EU, has no customers in France or the EU, and does not engage in any activities that would otherwise make it subject to the GDPR.
(NB: GDPR applies to EU peoples’ personal data, so Clearview should never have scraped locals’ selfies off the internet for the bloc’s data protection law to be inapplicable and, with notably, the statement doesn’t say it never processed Europeans’ data.)
Clearview’s statement on what it states as “the misinterpretation by some in France, where we don’t do business, of Clearview AI technology to society” is attributed to the CEO, Hoan Ton-That. In it, he reiterates a claim that he created the facial recognition technology solely for the “purpose of making communities safer and helping law enforcement solve heinous crimes against children, seniors and other victims of unscrupulous acts”; adding: “We only collect public data from the open internet and comply with all privacy and legal standards.”
While France’s CNIL may have to whistle for the millions Clearview owes, the fines essentially prevent the AI company from establishing itself in France – i.e. unless it’s willing to pay when the CNIL’s debt collectors come.
Add to that, and perhaps more importantly, all these GDPR sanctions deter other entities in the region from using Clearview’s services – as they risk being fined themselves, as happened in 2021 when a Swedish police authority caught was charged with unauthorized use of Clearview, for example.
So while people’s data in the EU is still not protected from unlawful processing by privacy-hostile AI companies like Clearview, the GDPR could at least help mitigate the damage by making it de facto impossible to do business in the EU. region. Though the story no doubt underscores the challenge of enforcing a regional rulebook for uncooperative foreign entities at a time of large cross-border data flows.
More EU regulation on AI is also on the way, with the bloc’s legislators very busy working out the final details of the AI law: a regulation on the use of artificial intelligence proposed by the Commission in 2021 . framework includes a ban on the use of remote biometrics in public places – which Clearview may have contributed to.