France’s National Commission on Informatics and Liberty (CNIL) issued a €20 million fine to Clearview AI for three breaches of the European Union’s General Data Protection Regulation (GDPR), according to a press release. They charged Clearview with unlawful processing of personal data, failure to account for individuals’ personal rights, and lack of cooperation with the CNIL.
Clearview AI is a company that scrapes, among other media, individuals’ social media photos to compile a massive face dataset that can then be used by law enforcement for facial recognition. As covered by Law Street they have faced numerous lawsuits for infringing upon individuals’ privacy rights.
In May 2020, the CNIL first received complaints about Clearview, and the commission, along with equivalent organizations across the EU, investigated the matter. They found Clearview in violation of articles 6, 12, 15, and 17 of the GDPR, which cover unlawfully processing personal data and failing to account for individuals’ rights.
The CNIL notified Clearview AI in November 2021 that they must cease collection of biometric data of French citizens and comply with individuals’ requests to have their data scrubbed. Following months of ghosting, the CNIL added an article 31 violation, failure to cooperate.
According to TechCrunch, he GDPR allows for fines up to 4% of a company’s worldwide annual revenue or €20 million, whichever amount is greater. Clearview’s PR agency, LakePR Group, issued a statement to TechCrunch declaring that CNIL did nothing wrong and since it merely “collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.” It further reiterated that since it does not have a place of business in the EU or undertake activities that “would otherwise mean it is subject to the GDPR.”