France: Clearview to pay additional millions in fines

As the disputed company Clearview AI has not followed orders from French privacy groups, the company must pay another fine for violating privacy laws. In a lawsuit in Austria, the company avoided penalties.

The French data protection authority “Commission Nationale de l’Informatique et des Libertés” (CNIL) imposed an additional fine in the amount of 5.2 million euro on Clearview AI. The US company collects photos from the internet of people and uses these for their biometric facial recognition database. According to the authorities, Clearview violates the European Union’s General Data Protection Regulation (GDPR) – which is why they already had a fine imposed on them in October. The Austrian data protection authorities has now completed the evaluation of a complaint received.

As the CNIL reported on Wednesday, Clearview AI has not yet met their obligations from October 2022. That is why a new fine has been imposed on them.

In October, the CNIL ordered the company to “not collect and process data on individuals located in France without any legal basis, and to delete the data of these individuals”. The authorities gave Clearview two months time to implement the specifications. In the event that Clearview would not comply, an additional fine in the amount of 100,000 euro per day was threatened.

Highest possible fine

Data protection authorities already imposed a fine in the amount of 20 million euro (German article) on Clearview Ai – which, according to the authorities, is the highest possible fine.

The CNIL determined then that Clearview was processing biometric data without any legal basis. Clearview did not obtain written consent from those affected by the data processing nor did a legitimate interest exist. Biometric data are especially sensitive as people can be clearly identified using them over their entire lifespan.

Additionally, internet users did not expect that their public photos could be used for facial recognition that would in turn be sold to government agencies and used for law enforcement.

At that time already, French data protection authorities criticized Clearview’s lack of cooperation. Because originally the CNIL had already prohibited the company late 2021 (German article) from collecting data from people in France. Clearview, however, did not react to this demand and only returned a partially filled out hearing form. According to CNIL, the company is, however, obligated to work together with authorities.

The CNIL’s investigation was prompted by complaints submitted by individuals since 2020. A year later, the British civil rights organization Privacy International also turned to the CNIL for assistance. They welcomed the new fine and stated: “This penalty sends a clear message to businesses like Clearview – stop playing with our privacy and freedoms.”

No penalty in Austria

In May 2021, Privacy International, in collaboration with organizations Homo Digitals, Hermes Center for Transparency and Digital Human Rights as well as Noyb also submitted complaints to data protection authorities in Greece, Great Britain, Italy and Austria. Only the Austrian decision was still pending.

As Noyb reported on Wednesday, the Austrian data protection authorities have now decided that Clearview may no longer process data of the complainant and must delete the data. However, the decision only applied in this individual case and did not have any impact on processing data of other Austrian citizens.

Felix Mikolasch, data protection lawyer at Noyb, explained: “It is unfortunate that no general ban was issued. The case of the complainant is likely the same for everyone else in Austria. It seems that Clearview’s processing is only considered illegal if you complain to the data protection authority.”

The authorities did not impose a fine, which Noyb considered “surprising”. Because in addition to France, Italian data protection authorities also imposed a fine in the amount of 20 Millionen Euro (German article). In Greece, a penalty was also set in this amount. In Great Britain, Clearview must pay approximately 8.9 million euro (German article).

In March 2020, the then Hamburg Commissioner for Data Protection Johannes Caspar
also initiated legal action against Clearview. The basis for this was the complaint of an affected person that requested information about their data according to GDPR. In August 2020, Caspar determined that there was no existing legal basis for Clearview to process biometric data – and ordered that Clearview must delete the biometric profile of the affected party.

Clearview became the focus of public attention through research conducted by the New York Times: The company automatically collected public images on the internet and created a comprehensive database for facial recognition. According to their own data, there are more than 30 billion images of people. (js)