The ‘Commission Nationale de l’Informatique et des Libertés’ (CNIL – the French DPA) released its final decision on October 20th, 2022, sanctioning Clearview AI for its unlawful activity, which consists of collecting images of millions of individuals from the open web without any legal basis under the GDPR for doing so.
This decision follows the non-compliance by the company with the formal notice issued by the CNIL on November 26th, 2021. The CNIL decision imposes the highest possible financial sanction provided for by the GDPR on the company, with a fine amounting to 20 million euros. It is the fourth time that the company has been given a financial sanction, with the Greek and Italian DPAs both inflicting a 20 million euro fine and the British DPA sanctioning the company 7.5 million pounds.
The French DPA insists in its decision that the collection of images uploaded online by people amounts to behavioural profiling, since their URL links are also gathered by Clearview AI, which might reveal data subjects’ preferences and behaviour. Furthermore, the CNIL considers that “(t)he processing in question thus constitutes profiling within the meaning of Article 4(1)(4) in that it makes it possible to evaluate certain personal aspects relating to a natural person, in particular in order to analyse elements concerning his or her personal preferences, interests, behaviour or location”.
Another concern is obviously the processing of biometric data without a proper legal basis. The French DPA claims that the company cannot be basing the data processing in question on the consent of data subjects. In addition, the CNIL considers that the legitimate interest of the data controller, which is mainly of an economic nature in such a scenario, cannot be used as a legal basis either. In this respect the CNIL’s decision reads as follows:
“the infringement of the privacy of individuals appears disproportionate to the interests of the controller, in particular its commercial and pecuniary interests. The legal basis of the company’s legitimate interest cannot therefore be accepted”.
The French data protection watchdog has also accused the American start-up of violating the rights of data subjects to delete and/or access their data. In particular, the CNIL emphasises that a claimant has only had “partial” access to information and that she had to ask for her data several times before getting an actual answer from the company. Furthermore, the CNIL has underlined that Clearview has not been cooperative in terms of its compliance with the formal notice issued in 2021.
Finally, in determining the amount of the fine, the French DPA has taken into account the gravity of the violations of the GDPR, which involve particularly intrusive data processing which targets a vast number of data subjects.
Interestingly, the CNIL justifies its decision to release the decision publicly as regards the gravity of the violations of the GDPR. According to the French DPA, making the decision public is necessary to raise awareness among civil society of Clearview’s activity. In particular, the aim of releasing this decision publicly is “to inform the people concerned of the existence of this system, which is unknown to the vast majority of them”.
Facial recognition is a much discussed topic which will be at the very core of the negotiations about the adoption of the AI Act. With this decision, the CNIL has followed in the footsteps of the Italian, Greek and British DPAs, determining that Clearview’s activity is unlawful under EU data protection law and imposing a financial sanction on the company. A decision, or an Opinion from the Austrian data protection authority is yet to be released, since the NGO ‘Noyb’ also filed a complaint in May 2021.