The CNIL sanctioned the American company Clearview AI with a fine of 20 million euros on Thursday. The French authority accuses the company of collecting and using biometric data without authorization.
The National Commission for Computing and Liberties (CNIL) keeps an eye on things, especially when it comes to facial recognition. It proves it with the heavy sanction pronounced against the American service Clearview AI, condemned to a fine of 20 million euros for having ignored the formal notice from the French authority, about the very large use scale of its facial recognition software.
Clearview AI, photos unearthed absolutely everywhere on the Web for identification purposes
Clearview AI is known for sucking up photos (and video screenshots) from many websites and social networks that can be accessed without having to log in specifically. It would have inflated its database of some 20 billion images around the world in this way, with pictures belonging to tens of millions of French Internet users.
These collected photos form the basis of Clearview AI’s business model, which markets access to its image database in the form of a search engine that allows you to find an individual based on a photograph. Law enforcement agencies regularly use it to identify victims or perpetrators of misdeeds.
And to achieve identification, Clearview AI creates a biometric template, a kind of digital representation of a person’s physical characteristics. In the case of the American company, it is the face. Biometric data is thus particularly sensitive, since it is linked to our physical identity.
Collection and processing of biometric data, no consent obtained, laconic collaboration with the authorities… the list goes on
The CNIL indicates that it received complaints from individuals as early as May 2020 about the facial recognition software used by Clearview AI. After carrying out its investigation during which it collaborated with its European counterparts, the authority found several breaches of the GDPR, such as the unlawful processing of personal data. The American firm does not rely on any legal basis for the use of its software and the processing of the biometric data on which it feeds. In addition, it does not collect the consent of the persons concerned, and has no legitimate interest in collecting and using the data.
Among the other shortcomings, the CNIL notes the difficulty for complainants to exercise their rights with Clearview AI. For example, the company limits any request to data collected in the twelve months preceding the request and only deigns to respond after an excessive number of requests from the same person.
The French data policeman also noted and regretted the total lack of cooperation from the targeted company. ” Throughout the procedure, Clearview AI failed in its obligation to cooperate with the services of the CNIL. Indeed, the company only responded in a very partial way to the control questionnaire that had been sent to it and did not provide any response to the formal notice from the President of the CNIL of November 26, 2021. “, he explains.
The fine of 20 million euros imposed by the CNIL is accompanied by a request to delete the data. The authority also wants the American firm to immediately end the collection and processing of data from people located in France, within two months. If at the end of the period, Clearview AI continues its practices, the company will be placed under penalty of 100,000 euros per day of delay.
3