Clearview AI, the U.S. startup that’s attracted notoriety in recent years for a massive privacy violation after it scraped selfies off the internet and used people’s data to build a facial recognition tool it pitched to law enforcement and others, has been hit with another fine in France over non-cooperation with the data protection regulator.
The overdue penalty payment of €5.2 million has been issued by the French regulator, the CNIL — on top of a €20 million sanction it slapped the company with last year for breaching regional privacy rules.
The European Union’s General Data Protection Regulation (GDPR) sets out conditions for processing personal data lawfully. Clearview has been found to have breached a number of requirements set out in law — by France’s CNIL and several other regional data protection authorities, including authorities in the U.K., Italy and Greece, garnering several tens of millions in total fines to date.
Whether Clearview will ever pay any of these fines remains an open question, since the US-based company has not been cooperating with EU regulators.
In a press release today, the CNIL said Clearview has failed to complied with the order it issued last October — when it imposed the maximum possible size of penalty it could (€20 million) for three types of breaches of the GDPR.
That 2022 order followed an earlier finding, in December 2021, when — after investigating complaints — the CNIL decided Clearview had breached the GDPR by unlawfully processing several tens of millions of citizens’ data; and failing to provide locals with data access rights.
It was Clearview’s failure to comply with the CNIL’s December 2021 order that led, in October 2022, to the French watchdog adding a third breach finding to its tally — lack of cooperation with the regulator — and issuing the biggest fine it possibly could under the GDPR. (The regulation allows for fines of up to 4% of global annual turnover or €20 million, whichever is higher.)
The CNIL’s order also instructed Clearview not to collect and process data on individuals located in France without a proper legal basis; and to delete data of individuals whose information it had processed unlawfully, after fulfilling any outstanding data access requests.
At the time the CNIL committee responsible for issuing sanctions gave Clearview a two month deadline to comply with the order — with the threat of further fines if it did not do so (at a cost of €100,000 per overdue day).
Safe to say, the demonstrably uncooperative U.S. company has failed to play ball yet again — hence the latest CNIL fine, which appears to be billing Clearview for 52 days of non-compliance.
“Clearview AI had two months to comply with the order and justify compliance to the CNIL. However, the company did not send any proof of compliance within this time limit,” the regulator writes. “On 13 April 2023, the restricted committee considered that the company had not complied with the order and consequently imposed an overdue penalty payment of €5,200,000 on Clearview AI.”
We reached out to the CNIL with questions. A spokesperson for the regulator confirmed to us that Clearview has not paid any of the penalties the CNIL has issued, telling TechCrunch: “They still are [non-]compliant — that’s why we imposed an overdue penalty payment of €5,200,000.”
“With regard to the injunction, the CNIL is continuing to work with its American counterpart, the Federal Trade Commission (FTC), to discuss how we can ensure that the injunction issued against the company is enforced,” they added when asked what powers they have to enforce the order on the US-based company. “With regard to the penalty payment, the Ministry of Economy and Finance is approaching the FTC to consider existing and possible means of collecting the fine and the penalty payment.”
The CNIL also volunteered that it will not be seeking to block Clearview’s website in France — saying such a step would not be relevant to the key lawfulness of processing issue. “The CNIL is questioning the way in which personal data is collected by the company, i.e. without any legal basis, by sucking up publicly accessible photographs on the Internet in order to feed its tool,” the spokesperson added.
Clearview was also contacted for a response.
Its PR agency, the LAKPR Group, responded with its (now) customary denial that the EU law applies to its business:
Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.
(NB: The GDPR applies to the personal data of EU peoples so Clearview would need to have never scraped locals’ selfies off the Internet for the bloc’s data protection law not to apply and, notably, its statement does not say it has never processed Europeans’ data.)
Clearview’s statement re: what it couches as “the misinterpretation by some in France, where we do no business, of Clearview AI’s technology to society” is attributed to its CEO, Hoan Ton-That. In it he goes on to repeat a claims that he only created the facial recognition technology for “the purpose of helping to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts”; adding: “We only collect public data from the open internet and comply with all standards of privacy and law.”
While France’s CNIL may have to whistle for the millions owed by Clearview, the fine announcements do have the effect of essentially preventing the AI company from setting up shop in France — i.e. unless it’s willing to pay up when the CNIL’s debt collectors come calling.
Add to that, and perhaps more importantly, all these GDPR penalties act as a deterrent to other entities in the region from using Clearview’s services — since they risk being fined themselves, as happened back in 2021 with a Swedish police authority caught using Clearview unlawfully, for example.
So while EU people’s data is still not being protected from abusive processing by privacy-hostile AI companies like Clearview, the GDPR may at least be helping to limit damage by making it de facto impossible for it to do business in the region. Although there’s no doubt the saga underlines the challenge of enforcing a regional rulebook on uncooperative foreign entities in an age of big cross-border data flows.
There’s more EU regulation incoming for AI too, with the bloc’s lawmakers very busy hashing out the final details of the AI Act: A regulation on use of artificial intelligence which was proposed by the Commission back in 2021. The draft version of this risk-based framework includes a prohibition on the use of remote biometrics in public places — which Clearview may have helped inspire.
This report was updated with a responses from the CNIL