Clearview AI, the US startup that’s attracted notoriety in recent years for a massive privacy violation after it scraped selfies off the Internet and used people’s data to build a facial recognition tool it pitched to law enforcement and others, has been hit with another fine in France over non-cooperation with the data protection regulator.
The overdue penalty payment of €5.2M has been issued by the French regulator, the CNIL — on top of a €20M sanction it slapped the company with last year for breaching regional privacy rules.
The European Union’s General Data Protection Regulation (GDPR) sets out conditions for processing personal data lawfully. Clearview has been found to have breached a number of requirements set out in law — by France’s CNIL and several other regional data protection authorities, including authorities in the UK, Italy and Greece, garnering several tens of millions in total fines to date.
Whether Clearview will ever pay any of these fines remains an open question, since the US-based company has not been cooperating with EU regulators.
In a press release today, the CNIL said Clearview has failed to complied with the order it issued last October — when it imposed the maximum possible size of penalty it could (€20M) for three types of breaches of the GDPR.
That 2022 order followed an earlier finding, in December 2021, when — after investigating complaints — the CNIL decided Clearview had breached the GDPR by unlawfully processing several tens of millions of citizens’ data; and failing to provide locals with data access rights.
It was Clearview’s failure to comply with the CNIL’s December 2021 order that led, in October 2022, to the French watchdog adding a third breach finding to its tally — lack of cooperation with the regulator — and issuing the biggest fine it possibly could under the GDPR. (The regulation allows for fines of up to 4% of global annual turnover or €20M, whichever is higher.)
The CNIL’s order also instructed Clearview not to collect and process data on individuals located in France without a proper legal basis; and to delete data of individuals whose information it had processed unlawfully, after fulfilling any outstanding data access requests.
At the time the CNIL committee responsible for issuing sanctions gave Clearview a two month deadline to comply with the order — with the threat of further fines if it did not do so (at a cost of €100,000 per overdue day).
Safe to say, the demonstrably uncooperative US company has failed to play ball yet again — hence the latest CNIL fine, which appears to be billing Clearview for 52 days of non-compliance.
“Clearview AI had two months to comply with the order and justify compliance to the CNIL. However, the company did not send any proof of compliance within this time limit,” the regulator writes. “On 13 April 2023, the restricted committee considered that the company had not complied with the order and consequently imposed an overdue penalty payment of €5,200,000 on Clearview AI.”
We’ve reached out to the CNIL with questions.
Clearview was also contacted for a response. Its PR agency, the LAKPR Group, responded with its (now) customary denial that the EU law applies to its business:
Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.
(NB: The GDPR applies to the personal data of EU peoples so Clearview would need to have never scraped locals’ selfies off the Internet for the bloc’s data protection law not to apply and, notably, its statement does not say it has never processed Europeans’ data.)
Clearview’s statement re: what it couches as “the misinterpretation by some in France, where we do no business, of Clearview AI’s technology to society” is attributed to its CEO, Hoan Ton-That. In it he goes on to repeat a claims that he only created the facial recognition technology for “the purpose of helping to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts”; adding: “We only collect public data from the open internet and comply with all standards of privacy and law.”
While France’s CNIL may have to whistle for the millions owed by Clearview, the fine announcements do have the effect of essentially preventing the AI company from setting up shop in France — i.e. unless it’s willing to pay up when the CNIL’s debt collectors come calling.
Add to that, and perhaps more importantly, all these GDPR penalties act as a deterrent to other entities in the region from using Clearview’s services — since they risk being fined themselves, as happened back in 2021 with a Swedish police authority caught using Clearview unlawfully, for example.
So while EU people’s data is still not being protected from abusive processing by privacy-hostile AI companies like Clearview, the GDPR may at least be helping to limit damage by making it defacto impossible for it to do business in the region. Although there’s no doubt the saga underlines the challenge of enforcing a regional rulebook on uncooperative foreign entities in an age of big cross-border data flows.
There’s more EU regulation incoming for AI too, with the bloc’s lawmakers very busy hashing out the final details of the AI Act: A regulation on use of artificial intelligence which was proposed by the Commission back in 2021. The draft version of this risk-based framework includes a prohibition on the use of remote biometrics in public places — which Clearview may have helped inspire.