Clearview AI, the US startup that drew notoriety in recent years for a massive breach of privacy after it removed selfies from the internet and used people’s data to build a facial recognition tool that it submitted to law enforcement order and others, received another fine in France. for lack of cooperation with the data protection regulator.
The French regulator, the CNIL, has issued the payment of the overdue fine of 5.2 million euros, in addition to a penalty of 20 million euros that it imposed on the company last year for violating regional privacy rules.
The General Data Protection Regulation (GDPR) of the European Union establishes the conditions for the processing of personal data in a lawful manner. Clearview has been found to have breached a number of requirements set out in the law, by France’s CNIL and various other regional data protection authorities, including authorities in the UK, Italy and Greece, obtaining several tens of millions in total fines to date.
Whether Clearview will ever pay any of these fines remains an open question, as the US-based company has not been cooperating with EU regulators.
in a Press release Today, the CNIL said that Clearview did not comply with the order it issued last October, when it imposed the maximum possible fine (20 million euros) for three types of GDPR infringements.
That 2022 order followed an earlier finding, in December 2021, when, after investigating the complaints, the CNIL decided that Clearview had violated the GDPR by illegally processing several tens of millions of citizen data; and not provide locals with access rights to the data.
It was Clearview’s failure to comply with the CNIL order of December 2021 that led, in October 2022, to the French watchdog adding a third offense to its account (failure to cooperate with the regulator) and issue the highest fine possible under the GDPR. . (The regulation allows fines of up to 4% of global annual turnover or 20 million euros, whichever is higher.)
The CNIL order also instructed Clearview not to collect or process data about individuals located in France without a proper legal basis; and delete data of individuals whose information you have unlawfully processed, after fulfilling pending data access requests.
At the time, the CNIL committee responsible for issuing sanctions gave Clearview two months to comply with the order, threatening additional fines if it failed to do so (at a cost of €100,000 per day of delay). ).
It’s safe to say that the demonstrably uncooperative US company has failed to play ball yet again, hence the latest fine from the CNIL, which appears to be billing Clearview for 52 days of non-compliance.
“Clearview AI had two months to comply with the order and justify compliance before the CNIL. However, the company did not send any proof of compliance within this timeframe,” the regulator writes. “On April 13, 2023, the select committee considered that the company had not complied with the order and consequently imposed a periodic penalty payment of €5,200,000 on Clearview AI.”
We contact the CNIL with questions.
Clearview was also contacted for a response. His PR agency, LAKPR Group, responded with his (now) usual denial that EU law applies to his business:
Clearview AI does not have a place of business in France or the EU, does not have any customers in France or the EU, and does not engage in any activities that would otherwise make it subject to GDPR.
(Note: the GDPR applies to the personal data of EU citizens, so Clearview should never have deleted the selfies from internet venues so that the bloc’s data protection law does not apply, and in particular , your statement does not say that you have never processed the Europeans’ data.)
Clearview’s statement re: what it expresses as “the misinterpretation by some in France, where we don’t do business, of Clearview AI technology for society” is attributed to its CEO, Hoan Ton-That. In it he goes on to repeat claims that he only created facial recognition technology “for the purpose of helping make communities safer and assisting law enforcement in solving heinous crimes against children, the elderly, and other victims of crime.” unscrupulous acts”; adding: “We only collect public data from the open internet and comply with all privacy standards and law.”
While France’s CNIL may have to hiss over the millions owed by Clearview, the fine announcements have the effect of essentially preventing the AI company from setting up shop in France, that is unless it’s willing to pay up when the CNIL debt collectors call.
Add to that, and perhaps most importantly, all these GDPR sanctions act as a deterrent for other entities in the region to use Clearview’s services, as they risk being fined, as happened in 2021 with a police authority. Swedish woman caught using Clearview illegally, eg.
So while people’s data in the EU is still not protected from abusive processing by privacy-hostile AI companies like Clearview, the GDPR may at least be helping to limit the harm by making it impossible to facto do business in the region. Though there’s no doubt that the saga underscores the challenge of enforcing a regional rulebook on uncooperative foreign entities in an era of huge cross-border data flows.
More EU regulation for AI is also coming, with EU lawmakers busy working out the final details of the AI Law: a regulation on the use of artificial intelligence that was proposed by the Commission in 2021. The preliminary version of this risk-based law The framework includes a ban on the use of remote biometrics in public places, which Clearview may have helped inspire.
