The Cnil imposes a fine of 20 million euros against the American company Clearview AI, which sucks up all the photos of individuals it finds on the net to feed its facial recognition system.
Clearview AI was notified, but did not listen. Above all, she never really deigned to respond to the National Commission for Computing and Liberties (Cnil). Too bad: this silence did not hold back the arm of the French data protection authority to hit this American company dedicated to facial recognition, this Thursday, October 20, 2022.
The blow is harsh. The Cnil today imposes a penalty of 20 million euros, which is the maximum amount it can pronounce against Clearview AI. Admittedly, the law also allows it to pronounce a sentence calibrated on turnover (4%, according to the GDPR), but Clearview AI does not publish its accounts, which deprives the Cnil of this leverage.
Since 2020, Clearview has been the subject of significant media coverage, as it was discovered that its activities lead it to suck up all the photos it finds on the net to train its facial recognition algorithms. Its database would contain more than 30 billion photos (10 more than the Cnil estimate), with more than 99% accurate targeting.
This practice has a name: scrapping. This is to automate the collection through a script, on all publicly accessible pages – like a misconfigured Facebook account. Naturally, all this is done without the agreement of individuals, and often in violation of the rules of websites, which oppose the use of this kind of program.
” This collection concerns images of adults and minors, no filter being applied in this regard. Only hundreds of URLs, associated with adult sites with the largest audiences, are blocked and excluded from collection “, writes the Cnil. Everything else goes there: social networks, professional sites, blogs, sites, extracts from YouTube…
Convictions everywhere, and now in France
This behavior has already led to other convictions around the world: in Greece, Italy, Australia, the United Kingdom. Moreover, the Cnil has cooperated with its counterparts on the Old Continent to ” share the results of the investigations “. Greece and Italy imposed penalties of 20 million euros, while the United Kingdom imposed a fine of just under 9 million.
The Cnil’s analysis revealed several breaches of the GDPR: unlawful processing of personal data, rights of individuals not respected, lack of cooperation with the services of the Cnil. All this, moreover, on particularly sensitive data: it is biometric information that is at stake here.
Facial recognition is a biometric method based on the analysis of facial features and shape to recognize an individual. As a result, biometrics is a separate category in personal data, benefiting from an increased level of protection, in the same way as genetic information, sexual orientation, religious beliefs, or criminal offenses.
Sensitive data, breaches of the GDPR, a formal notice from the Cnil ignored by Clearview AI, too little cooperation with the authority and contentious practices that persist… the inevitable ingredients of an explosive cocktail. However, the American company has the opportunity to appeal to the Council of State within four months.
In the meantime, the Cnil reiterated its injunction: Clearview AI must ” stop collecting and using, without legal basis, the data of people in France and delete those already collected “. She has two months to comply. Otherwise, the CNIL will add a penalty of 100,000 euros per day of delay.