French Government Hits Clearview With The Maximum Fine For GDPR Violations
from the yeah...-that's-a-shame dept
Clearview hasn’t won many friends since its inception. Scraping the web of any relevant content to compile a few billion records for facial recognition matches is no way to run a respectable business, and Clearview has been anything but respectable.
Early access was granted to anyone who was interested, including private companies, government agencies, and whatever billionaires might be willing to throw a few dollars Clearview’s way. Since all of this data is compiled without anyone’s permission (including the sites being scraped), Clearview has been fined, sued, hit with cease-and-desists, and found itself reviled even in the surveillance tech industry.
Clearview’s run in the US has been slightly more successful that its endeavors outside our borders. Thanks to a lack of strong privacy laws, not much can be done about Clearview’s scrape-and-sell tactics. But outside of the US, Clearview is finding it almost impossible to engage in shady business as usual.
A few countries have explicitly uninvited Clearview. The UK, after first threatening a $23 million fine for privacy law violations, finally settled on a $9.4 million fine that came with an order to delete all data pertaining to UK residents. The Italian government had the same problems with Clearview and its web scraping, ordering it to pay a $21 million fine for GDPR violations.
The same conclusion has been reached in France, adding to Clearview’s European tab. As Natasha Lomas reports for TechCrunch, French regulators have hit Clearview with the maximum possible fine for GDPR violations.
“Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice,” the CNIL wrote in a press release today announcing the sanction [emphasis its].
“The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR [General Data Protection Regulation].”
That’s the statement from France’s privacy regulator. According to the CNIL’s findings, Clearview’s scraping/repackaging program violated privacy rights of citizens by not obtaining consent to collect the data. The repackaging for resale violated GDPR restrictions on processing of collected data. Finally, as noted in its statement, Clearview made things worse for itself by blowing off CNIL last year, when it informed Clearview of its initial conclusions and ordered it to delete data belonging to French citizens. That’s a GDPR violation of its own.
Whether or not France will be able to collect remains to be seen. Meanwhile, Clearview’s CEO Hoan Ton-That has issued yet another nonsensical non-defense of Clearview’s business model that basically says Clearview will continue its non-compliance with CNIL’s earlier order.
There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.
If this is true, Clearview’s product is illegal everywhere in Europe. Clearview is admitting it cannot determine the origin of the images and data it scrapes, which also means it can’t comply with its own agreements/legal settlements where it has agreed to stop collecting in certain locales and delete data pertaining to these residents.
Ton-That claims to be “heartbroken” that France has “misinterpreted” Clearview’s business model. Of course, no one has misinterpreted anything. Clearview openly admits how it collects data and, for the most part, who it sells access to — a list that expands and contracts based on reactions to legal problems but generally still remains “anyone who’s interested.”
Presumably, Clearview will continue to do what it does while foreign regulators wave unpaid bills and set up No Trespassing signs. Clearview may think it can outlast the backlash, but none of this is going to just go away if Clearview ignores it. Sooner or later, it will run into something it can’t walk away from. And with each fine and lawsuit, its potential customer base continues to shrink.
Filed Under: cnil, facial recognition, france, gdpr, privacy, screaping
Companies: clearview, clearview ai
Comments on “French Government Hits Clearview With The Maximum Fine For GDPR Violations”
Is he saying that clearview can’t give useful info like “name & address” and that it’s ONLY a tool for showing your more pictures of the same person (at best… which probably way over states their technical… prowess)?
It sounds like, in his rush to defend, he own-goal-ed instead.
Re: Good catch
Clearview: Our service is an incredible tool for identifying people by matching their faces to data like location and name.
Also Clearview: We have no idea who the people in our database are and no way to even guess where they might live.
'We can't comply with the law, violating it is our entire business model!'
Clearview: We have no way of knowing where the person who’s picture we grabbed lives so we can’t delete just those people from out database!
Non-US courts: That’s a problem alright, but only for you.
I can’t help but picture a serial pickpocket being ordered to stop and return all the stuff they stole ‘defending’ themselves by claiming that since they don’t pay attention to who owned what such an order is an unreasonable demand.
Just curious.
Are there any indicators about how much of the “images <=> names” database that Clearview possesses was gathered from not-so-publicly-available sources?
Rough Data Quality means they don't precisely know
That is, I’m reasonably certain that if he felt like it, Mike Masnick or one of his friends could put a name to me and figure out that I frequently connect to the internet from 123 Main Street in Anytown, USA.
More certainty as to whether I am a US Citizen or not is probably further than he or Clearview wants to go and slightly expensive.
The problem is, the work of Clearview seems extremely similar to that of #seditionhunters… how does one distinguish those legally and morally???
Minor typo
“… more successful that its endeavors outside … border”
that >> than
Impossible to comply? Not so much...
There is, of course, a really simple way for Clearview to comply with this court order.
In order to guarantee it has deleted all French citizens’ data, it just needs to delete its entire dubiously-acquired database.
Oh dear. So sad.
Plays tiny violin