France: CNIL fines Clearview AI €20 million over facial recognition technology
The French data protection authority ('CNIL') announced, on 20 October 2022, that it had issued, on 20 September 2022, the Deliberation of CNIL's Restricted Committee No. SAN-2022-019 of 17 October 2022, in which it imposed a fine of €20 million on Clearview AI Inc., for violation of Articles 6, 12, 15, 17, and 31 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following complaints by individuals and data protection authorities.
Background to the decision
In particular, CNIL highlighted that it and various other European data protection authorities had received complaints regarding Clearview AI's use of facial recognition software. In addition, CNIL outlined it had received complaints from individuals in May and December 2020 regarding the difficulties they encountered when exercising their rights of access and erasure.
Findings of CNIL
During the course of its investigation, CNIL provided Clearview AI two months to comply with the provisions of Articles 6, 12, 15, and 17 of the GDPR.
More specifically, CNIL outlined that Clearview AI's facial recognition software is based on the systematic and widespread collection of images containing faces, and is subsequently used for commercial purposes, including the provision of data to law enforcement agencies in the US. Accordingly, CNIL noted that from the outset, Clearview AI had not obtained consent from persons whose personal data had been processed, and was found to have violated Article 6 of the GDPR owing to the absence of a legal basis for processing of personal data.
Further, CNIL detailed that Clearview AI failed to respond effectively to data subject requests for access, and failed to facilitate this right where applicable, responding to complainant's requests in cases only after seven letters and four months after initial requests were made. Consequently, CNIL found that Clearview AI failed in its obligation to facilitate the right of access and refrained from providing a satisfactory response, thereby violating Articles 12 and 15 of the GDPR.
In addition, CNIL provided that Clearview AI did not respond to complainant's requests to erase their personal data. Resultantly, CNIL found that Clearview AI had breached Article 17 of the GDPR.
Finally, CNIL established that Clearview AI did not respond to CNIL's requests for cooperation within the specified timeframe, and failed to submit any observations in defence, including a formal questionnaire to which Clearview AI only partially responded to. Accordingly, CNIL provided that Clearview AI had breached Article 31 of the GDPR in failing to cooperate with a supervisory authority.
- fined Clearview AI €20 million;
- issued an injunction to not proceed with the processing and collection of personal data of data subjects in French territory;
- ordered Clearview AI to delete the personal data of persons whose personal data had been collected or processed, with specific significance given to those who have requested the deletion of their personal data; and
- attached a penalty payment of €10,000 per day on failure to implement the above requirements, from two months after the publication of the decision.
Update (21 October 2022)
EDPB publishes English summary of CNIL's decision to fine Clearview AI €20M
The European Data Protection Board ('EDPB') published, on 20 October 2022, an English summary of CNIL's decision to fine Clearview AI €20 million.
You can read the summary here.