According to Clearview AI, the General Data Protection Regulation does not apply to it because it has no presence in the European Union (GDPR). Individual data privacy regulators inside the bloc hold a different opinion.
The fourth European data protection authority (DPA) this year to impose a sanction on a U.S. company for questionable facial picture aggregation techniques was France's CNIL. While the U.K. Information Commissioner's Office's fine of more than 7.5 million pounds (then-U.S. $9.4 million), issued in May, had a more lenient tone, the agency's 20 million euros (U.S. $19.6 million) penalty against the corporation on Thursday matched the Hellenic and Italian DPA before it.
The enforcement measures against Greece and Italy were issued in July and February, respectively.
When its DPA ordered Clearview AI to stop collecting and using data about people on French territory in November 2021, France became one of the first EU nations to officially target the firm. According to the CNIL, the firm did not react to this notification, therefore the regulator referred the matter to its sanctions committee.
According to Article 83 of the GDPR, the committee's punishment is the highest it may impose in this circumstance.
The software from Clearview AI enables users to input a snapshot of a person's face and compare it to online images of that person's face. then links to the places where the pictures appeared. More than 20 billion photographs are stored in the system's database, which Clearview AI claims to have collected from a variety of social networking sites and other places where the data is made available to the public.
The EU DPAs claim that clients in other countries can view photographs in the database that belong to their citizens. As a result, without their awareness or consent, their personal information is being gathered and sold.
The CNIL determined that Clearview AI's unauthorized processing of the data of French people violates Article 6 of the GDPR. The business was also chastised for making it difficult for French complainants to exercise their rights to access and erasure since, in the words of the regulator, it "provides partial responses or does not respond at all to requests." The GDPR's Articles 12, 15, and 17 were broken by these activities.
Finally, the CNIL characterized Clearview AI's lack of cooperation in the case as a breach of Article 31 of the GDPR.
Similar to its EU peers, the DPA directed Clearview AI to stop collecting personal data from data subjects in France and to remove whatever information it had previously gathered on citizens of that nation. The business was given two months to comply, after which it would face a daily punishment of €100,000 (about $98,000 US).
Despite having previously responded to its prior fines by saying it has no clients or a place of business in the European Union, Clearview AI did not immediately reply to a request for comment.
By fLEXI tEAM