The data protection agency for France, Commission nationale de l’informatique et des libertés (CNIL), has imposed a €20 million penalty on a company for their facial recognition technology. They have also ordered the company, Clearview AI, to stop collecting the data of people in France and to delete any data already collected.
Clearview AI
The company in question uses facial recognition technology to collect photographs from across the internet. It takes photos from many websites, including social networks, and it also extracts images from accessible videos, regardless of the distribution platforms. These photos can then be consulted without logging into an account. They have accumulated more than 20 billion images around the world.
They market their database in the form of a search engine. By using a photograph of someone you can search the database for other images of them. They particularly offer this service to law enforcement agencies to help identify perpetrators or victims of crimes.
The facial recognition technology is used to interrogate the search engine and find a person from their photograph. To do this, the company constitutes a biometric template, i.e., a numerical representation of people’s physical characteristics (here, the face). This biometric data is particularly sensitive as it is directly linked to individuals’ physical identity. It allows them to be uniquely identified. However, the vast majority of people who are having their images sucked into this search engine are unaware they are affected by this device.
The CNIL only became aware after complaints were made by individuals about this software. An investigation then began into the AI’s facial recognition software.
GDPR
Under GDPR, personal data processing can only be done with the data subject’s consent or if it is necessary:
- For performing a contract to which the data subject is a party, or pre-contractual measures
- To comply with a legal obligation
- To protect an individual’s vital interest
- For performing a task in the public interest or in exercise of the controller’s official authority; or
- For the controller’s legitimate interests, unless overridden by the data subject’s fundamental rights and freedoms
- Particularly when the data subject is a child.
As the software does not respect this rule it is therefore illegal. The persons concerned are not asked for their consent. It does not have a legitimate interest in collecting and using this data, especially when considering the intrusive and massive nature of the process. It is possible for them to recover the images of millions of internet users in France. The people affected do not reasonably expect that their images will be processed to feed a facial recognition technology that can be used for police purposes.
Company Complaints
Data subjects have rights under GDPR to allow them to obtain from the controller:
- Confirmation on whether their personal data is being processed
- Information on the processing of their personal data
- Access to their personal data
A controller must facilitate the exercise of the above rights. Data subjects also have the right to request a controller erase their unlawfully processed personal data as soon as possible.
CNIL found that when the complainants contacted Clearview they faced difficulties. It was deemed that the company do not facilitate the data subject rights due to a number of factors:
- Limitation on right to access by restricting access to only data collected in the twelve months preceding the request
- Restriction on how many times the right can be exercised without justification, in this case, twice a year
- Responding only after an excessive number of requests from the same person
- Responses to access or erasure requests are only partial or ignored entirely.
CNIL Investigation
GDPR regulations require companies to cooperate with a data protection agency. CNIL found Clearview failed to cooperate with their investigation.
Following CNIL sending a control questionnaire they only responded to parts of it. CNIL also put the company on notice to:
- Cease the collection and use of data from persons on French territory in the absence of a legal basis
- Facilitate the exercise of rights of data subjects and comply with requests for access and erasure.
Clearview had a two month period to comply with the formal notice and to justify it to the CNIL. They did not respond at all to the notice and therefore breached the obligation to cooperate with CNIL.
Outcome
The CNIL has given Clearview a fine of €20 million ($19,661,913 USD). Clearview have also been ordered to stop the collection and processing of data of people in France and delete the data that has already been collected. The company has two months to comply. Should they fail to comply within two months there will be a penalty payment of €100,000 ($97,875 USD) per day if there is any delay beyond two months.
You can read more about privacy and data news here.
