The French data protection authority (CNIL) has fined Clearview AI 20 million euros for the illegal collection and processing of biometric data belonging to French citizens.
The amount is the maximum financial penalty that the company could receive in accordance with Article 83 of the GDPR. Clearview AI received the same fine from Italian and Greek data protection authorities for the same breaches in March and July.
The CNIL also ordered the American facial recognition company to stop all data collection activities and delete all data it had already collected within two months.
If Clearview AI does not comply with the orders after the two-month period, the CNIL will fine the company €100,000 for each day of non-compliance.
A controversial model
Clearview AI removes publicly available images and videos of people from websites and social media platforms and associates them with identities.
Using this method, the company has collected more than 20 billion images which are used to feed a biometric database of facial scans and identities.
The company sells access to this database to various operators of facial recognition systems, some of which are used by law enforcement authorities and private entities around the world.
In Europe, the General Data Protection Regulation (GDPR) states that any data collection must be clearly communicated to individuals and requires consent.
Even though Clearview AI does not use leaked data and the company does not spy on people, individuals do not know that their images are being used for identification purposes by Clearview AI customers.
Non-compliance with GDPR
As detailed in CNIL’s announcementthe authority notified Clearview AI in May 2021 of the violations, but the company ignored the recommendations.
The breaches of the GDPR discovered at the time by the French authority concerned article 6 of the rule – unlawful processing of personal data, and articles 12, 15 and 17, on the limitation of the rights of individuals to access the data and request its erasure.
In December 2021, the CNIL ordered the company to stop collecting the images that people uploaded and delivered a final warning.
Clearview AI still failed to comply with this order, which added another violation under Section 31 – lack of cooperation.