French Government Hits Clearview With The Maximum Fine For GDPR Violations
from the yeah...-that's-a-shame dept
Clearview hasn’t won many friends since its inception. Scraping the web of any relevant content to compile a few billion records for facial recognition matches is no way to run a respectable business, and Clearview has been anything but respectable.
Early access was granted to anyone who was interested, including private companies, government agencies, and whatever billionaires might be willing to throw a few dollars Clearview’s way. Since all of this data is compiled without anyone’s permission (including the sites being scraped), Clearview has been fined, sued, hit with cease-and-desists, and found itself reviled even in the surveillance tech industry.
Clearview’s run in the US has been slightly more successful that its endeavors outside our borders. Thanks to a lack of strong privacy laws, not much can be done about Clearview’s scrape-and-sell tactics. But outside of the US, Clearview is finding it almost impossible to engage in shady business as usual.
A few countries have explicitly uninvited Clearview. The UK, after first threatening a $23 million fine for privacy law violations, finally settled on a $9.4 million fine that came with an order to delete all data pertaining to UK residents. The Italian government had the same problems with Clearview and its web scraping, ordering it to pay a $21 million fine for GDPR violations.
The same conclusion has been reached in France, adding to Clearview’s European tab. As Natasha Lomas reports for TechCrunch, French regulators have hit Clearview with the maximum possible fine for GDPR violations.
“Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice,” the CNIL wrote in a press release today announcing the sanction [emphasis its].
“The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR [General Data Protection Regulation].”
That’s the statement from France’s privacy regulator. According to the CNIL’s findings, Clearview’s scraping/repackaging program violated privacy rights of citizens by not obtaining consent to collect the data. The repackaging for resale violated GDPR restrictions on processing of collected data. Finally, as noted in its statement, Clearview made things worse for itself by blowing off CNIL last year, when it informed Clearview of its initial conclusions and ordered it to delete data belonging to French citizens. That’s a GDPR violation of its own.
Whether or not France will be able to collect remains to be seen. Meanwhile, Clearview’s CEO Hoan Ton-That has issued yet another nonsensical non-defense of Clearview’s business model that basically says Clearview will continue its non-compliance with CNIL’s earlier order.
There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.
If this is true, Clearview’s product is illegal everywhere in Europe. Clearview is admitting it cannot determine the origin of the images and data it scrapes, which also means it can’t comply with its own agreements/legal settlements where it has agreed to stop collecting in certain locales and delete data pertaining to these residents.
Ton-That claims to be “heartbroken” that France has “misinterpreted” Clearview’s business model. Of course, no one has misinterpreted anything. Clearview openly admits how it collects data and, for the most part, who it sells access to — a list that expands and contracts based on reactions to legal problems but generally still remains “anyone who’s interested.”
Presumably, Clearview will continue to do what it does while foreign regulators wave unpaid bills and set up No Trespassing signs. Clearview may think it can outlast the backlash, but none of this is going to just go away if Clearview ignores it. Sooner or later, it will run into something it can’t walk away from. And with each fine and lawsuit, its potential customer base continues to shrink.