France’s data protection authority (CNIL) has fined Clearview AI with €20 million for illegal collection and processing of biometric data belonging to French citizens.
The amount is the maximum financial penalty the company could receive as per GDPR Article 83. Clearview AI received the same fine from Italian and Greek data protection authorities for the same violations in March and July.
CNIL also ordered the American facial recognition company to stop all data collection activities and delete all data they had already gathered within two months.
If Clearview AI fails to comply with the orders after the two-month period, CNIL will fine the company with €100,000 for every day of non compliance.
A controversial model
Clearview AI scraps publicly available images and videos of people from websites and social media platforms and associates them with identities.
Using this method, the firm has collected over 20 billion images that are being used to feed a biometric database of facial scans and identities.
The company sells access to this database to various operators of facial recognition systems, some of them used by law enforcement authorities and private entities worldwide.
In Europe, the General Data Protection Regulation (GDPR) dictates that any data collection needs to be clearly communicated to the people and requires consent.
Even if Clearview AI isn’t using leaked data and the company does not spy on people, individuals are unaware that their images are being used for identification by Clearview AI customers.
GDPR violations
As detailed in the CNIL announcement, the authority warned Clearview AI in May 2021 about the violations but the company ignored the recommendations.
The GDPR infringements the French authority discovered at the time concerned article 6 of the rule – unlawful processing of personal data, and articles 12, 15, and 17, on limiting individuals’ rights to access the data and request erasure.
In December 2021, the CNIL ordered the company to stop collecting images that people posted online and delivered a final warning.
Clearview AI still didn’t comply with that order, which added one more violation as per article 31 – lack of cooperation.
Source: https://www.bleepingcomputer.com/news/security/clearview-ai-gets-third-20-million-fine-for-illegal-data-collection/