The American company Clearview AI has developed a facial recognition software whose database is based on the aspiration of photographs and videos publicly available on the Internet. It is said to have collected more than 10 billion photos “without any legal basis”, which the Commission Nationale de l’Informatique et des Libertés (CNIL) has accused it of doing. The company has been given formal notice to cease this illegal processing and to delete the data within two months.
On the homepage of its website, Clearview AI states:
“We have developed a revolutionary web intelligence platform that law enforcement can use as a tool to help generate high quality investigative leads. Our platform, powered by facial recognition technology, includes the largest known database of over 10 billion facial images from public-only web sources, including news media, mugshot websites, social networks and public other open sources.”
Clearview AI, which set out to “support law enforcement and government agencies,” has been able to train many algorithms in this way, but has just been firmly called out by the CNIL.
Clearview AI had been challenged by Jumbo Privacy, a French data protection start-up, which had filed a complaint with the CNIL in July 2020 for various breaches of the General Data Protection Regulation (GDPR). In May 2021, it was the turn of NGO Privacy International to file a complaint for breaches of French law and the RGPD with the CNIL, but also with other personal data protection bodies along with other privacy and digital rights organizations.
Clearview AI being based in the United States, each European country has the competence to act on its territory, the CNIL shared the result of the investigations with its European counterparts which found two breaches of the RGPD:
- unlawful processing of personal data (breach of Article 6 of the GDPR) because the collection and use of biometric data is carried out without a legal basis;
- the lack of satisfactory and effective consideration of the rights of individuals, including requests for access to their data (Articles 12, 15 and 17 of the RGPD);As a result, the President of the CNIL has decided to give the company Clearview AI formal notice to:
- to stop the collection and use of data of persons located on French territory without a legal basis;
- to facilitate the exercise of the rights of the data subjects and to comply with the requests for erasure made.
The CNIL has given Clearview AI two months to respect and comply with its injunctions. If not, the CNIL may pronounce a sanction, including a financial one.
Clearview AI’s facial recognition service
Thanks to this collection of more than 10 billion photos, the company markets access to its image database in the form of a search engine in which a person can be searched using a photograph.
To do this, the company creates a “biometric template”, i.e. a digital representation of the physical characteristics of people (in this case, the face). For the CNIL:“These biometric data, are particularly sensitive, especially because they are linked to our physical identity and allow us to identify ourselves in a unique way.”
A possible invasion of privacy?
Clearview AI says: “We will never share or sell user data. We will not sell ads in our product. We only collect publicly available images and data […] Clearview AI’s search technology is legal and constitutional.”
The CNIL takes a different view. According to the French body, “the vast majority of people whose images are sucked into the search engine are unaware that they are affected by this device.”
Some of these photos have a specific framework, which prohibits any prior collection without clear and explicit written consent. To be lawful, a processing of personal data must be based on one of the legal grounds referred to in Article 6 of the GDPR. The Clearview AI facial recognition software, which does not comply with this rule, is therefore unlawful.
Moreover, “these individuals, whose photographs or videos are accessible on various websites and social networks, do not reasonably expect their images to be processed by the company to feed a facial recognition system that could be used by states for law enforcement purposes.”
The seriousness of this breach led the president of the CNIL to order Clearview AI to cease, for lack of a legal basis, the collection and use of data of persons on French territory, in the context of the operation of the facial recognition software it markets.
Translated from Clearview AI mise en demeure par la CNIL pour traitement illicite de données privées