France Says Clearview Broke Privacy Laws, Orders It To Delete Residents' Data

from the suprisingly-not-terrible-use-of-the-GDPR dept

Clearview is again on the receiving end of an order demanding it delete all the local data it scraped from thousands of websites and social media platforms.

Canada led the way in booting the facial recognition company, ordering its exit in February. A government investigation concluded Clearview had broken the country’s privacy laws with its web scraping and ordered it to delete all Canadian data.

Australia was next, kicking Clearview out in November. It too concluded (after an investigation) that laws were broken by the country. The United Kingdom followed suit, more or less. It didn’t kick Clearview out but threatened it with a $23 million fine and forbade it from processing any more data collected in the UK.

Now, it’s France’s turn. The GDPR is in play this time, which means this announcement is likely to be followed by similar orders from other members of the European Union. Richard Nieva reports on the latest for BuzzFeed.

Facial recognition company Clearview AI has been hit with another order by a country’s watchdog agency to delete the personal data of its citizens, the latest in a global rebuke by privacy regulators around the world.

On Thursday, France’s Commission Nationale Informatique et Libertés (CNIL) said Clearview had breached Europe’s overarching data protection law, known as GDPR. It gave the company two months to delete the personal information it had collected and stop “unlawful processing” of the data.

Clearview hasn’t been actually asked to leave, but considering its business model relies on it breaking local laws, there’s little reason for it to stick around. Its CEO has responded with some overdone shrugging, claiming it doesn’t matter what France says because it doesn’t maintain a local office.

In response to the claims, Clearview AI CEO Hoan Ton-That argued that his company isn’t bound by Europe’s data regulation law. “Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” he said in an emailed statement.

While some of that may be true, it’s pretty clear a lot of it isn’t. I don’t believe Clearview geofences its data-scraping, which means it’s certainly still collecting info on European residents. And claiming it has no customers in France or the EU is demonstrably false.

This is from earlier reporting on Clearview by BuzzFeed:

Data reviewed by BuzzFeed News shows that by early 2020, Clearview had made its way across Europe. Italy’s state police, Polizia di Stato, ran more than 130 searches, according to data, though the agency did not respond to a request for comment. A spokesperson for France’s Ministry of the Interior told BuzzFeed News that they had no information on Clearview, despite internal data listing employees associated with the office as having run more than 400 searches.

While it may be technically true it has no customers in the European Union, entities in the union were at least given trial access to Clearview’s AI and utilized it. Those are the kind of “activities” that would be “subject to the GDPR.” The locals weren’t running searches on American citizens. They were running them on residents of their respective countries, meaning there was searchable data collected by Clearview in violation of the GDPR.

At this point, Clearview may no longer be collecting data on Europeans and other countries that have demanded it delete data. But that doesn’t mean it’s legally in the clear. A belated exit is better than nothing, but no documents have surfaced that show Clearview isn’t still gathering data from areas where it’s been told to cease operations. All we have are Clearview’s assurances, which aren’t all that reassuring, considering they’re half-truths at best. It still has yet to show it has learned anything from the past 18 months of negative coverage and has never offered anything approaching contrition for its horrific actions and incredibly irresponsible business model.

Filed Under: , ,
Companies: clearview

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “France Says Clearview Broke Privacy Laws, Orders It To Delete Residents' Data”

Subscribe: RSS Leave a comment
Frank Cox (profile) says:

Is it even possible for them to comply?

I don’t see how it would be possible for them to comply with this short of shutting down operations completely and worldwide. (Which wouldn’t be a bad result, but that’s not what the order actually tells them to do.)

Joe is from Canada, Jane is from the UK and they are on vacation together in Italy. Their vacation photo is posted on random-website-dot-com and gets scraped by a US based company.

That gets really complex really fast even without the added wrinkle that there’s no reliable way to determine any of that information from that vacation photo.

PaulT (profile) says:

Re: Is it even possible for them to comply?

This is ultimately the main problem with this type of order, along with "right to be forgotten" and other silliness. They make sense when you’re dealing with a legacy physical publisher who only operates within the borders of one location, but they quickly lose relevance and the ability to be adhered to once you’re dealing with UGC distributed internationally from different locations.

Tom Mink (profile) says:

Impossible business model

Clearview seems to keep finding itself stuck in a bit of a forked stick. Countries want it to follow local privacy laws by removing citizens’ data – which seems impossibly complex to do with the vaguely undifferentiated mass of scraped data they’ve collected.
But, their business proposition is that they can successfully identify people from images,with minimal false positives. So, an inability to trawl their dataset and remove entries with a really important identifier seems like a big problem with their product. They get to either comply, or admit they suck.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...