The privacy regulator of France has ordered Clearview AI to delete all its data relating to French citizens. It said the company has breached the European General Data Protection Regulation (GDPR). Meanwhile, the UK Information Commissioner’s Office (ICO) has also announced a provisional £17 million fine against Clearview.
The French regulator issued a formal notice to Clearview to stop the “unlawful processing” of data and also directed it to delete user data within two months, Techcrunch reported. The UK ICO also directed Clearview AI to stop further processing of people’s personal data and delete it.
Tl;dr- What does Clearview AI do?
Clearview has a facial recognition application. The application collects photographs from a large number of websites, including social media platforms. It also catches images from videos. Using these methods, the company has amassed a huge database of 10 billion images of people from around the world.
The application allows its users to upload a photo of an individual and match it to photos collected from the internet. It works like a search engine. To make the process efficient, Clearview AI deploys a “biometric template”. This template is a digital representation of the physical characteristics of people, people’s faces in this case.
The French Action
In a press release (translated), the Commission nationale de l’informatique et des libertés (CNIL) said it received complaints from individuals about Clearview AI’s facial recognition software in May 2020. It added that the Privacy International association also alerted the CNIL about this, following which it started an investigation.
The investigation revealed two breaches of GDPR:
Unlawful processing of personal data: Clearview AI collected and used biometric data without a legal basis which violates article 6 of the GDPR.
Lack of satisfactory and effective consideration of individual rights: Clearview AI breached articles 12, 15, and 17 of the GDPR. According to CNIL, the company did not facilitate the right to data by limiting it to data collected during twelve months preceding the request.
Further, it restricted the exercise of this right to twice a year, without any justification. The company also responded only to a certain number of requests, that too after the same person made an excessive number of requests.
Clearview AI has two months to comply with the injunctions and justify them to the CNIL. If it does not comply with the directions, it will face sanctions.
UK ICO’s provisional fine
Before we jump into details, here’s some important information. Last month, the ICO and the Australian Information Commissioner (OAIC) revealed that they had concluded their joint investigation on Clearview AI. While the OAIC determined that the company violated the Australian Privacy Act, 1988, and asked it to stop collecting and processing data, the UKO ICO said it was considering its next steps.
Now, the ICO has announced its provisional intent to impose a potential fine of just over £17 million. It says Clearview AI failed to comply with the UK data protection laws by failing to:
- process the information of people in the UK in a way they are likely to expect or that is fair;
- have a process in place to stop the data being retained indefinitely;
- have a lawful reason for collecting the information;
- meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
In its press release, it said:
“Clearview AI Inc now has the opportunity to make representations in respect of these alleged breaches set out in the Commissioner’s Notice of Intent and Preliminary Enforcement Notice. Any representations will be carefully considered by the Information Commissioner before any final decision is made.”
Clearview AI is not making regulators happy
Multiple jurisdictions have declared Clearview’s actions as illegal. On 5th Feb, Canada banned Clearview AI’s facial recognition service for collecting highly sensitive biometric data without consent.
Following this, in mid-February, Sweden’s data watchdog imposed a fine on local police for unlawful use of Clearview AI. The UK has also declared facial recognition that searches for people in public places. Most recently, the EU Parliament has called for a permanent ban on AI-based facial recognition.
A BuzzFeed investigation found that the US law enforcement personnel were using the application even without authorization. They used it for various purposes – searching for Black Lives Matter protesters, Capitol insurrectionists, or their own family and friends.
Interestingly, the officers reported that facial recognition searches through Clearview AI invariably yielded an ineffective response. You can read more about the discrepancies here.