Clearview AI fined for violating the European GDPR privacy law

French authorities have imposed the maximum possible fine against Clearview AI, a biometric startup selling its controversial facial recognition technology to governments and law enforcement worldwide. The company must delete the data already acquired on French citizens or face an additional €100,000 fine per day.

Clearview AI received yet another fine for its biometric profiling activities in Europe, this time for illegally collecting and using data belonging to French citizens without their knowledge. The Commission nationale de l’informatique et des libertés (CNIL), France’s data protection authority, imposed a 20 million euros penalty against the American company after a lengthy investigation and an unfruitful cooperation attempt.

Clearview markets facial recognition tools to companies, individuals, and law enforcement, boasting its algorithm can detect any individual with “99% accuracy” in a database with 30+ billion images of faces. The company scrapes the entire public internet (including social networks) to obtain these images –an perfectly legal activity in Clearview CEO Hoan Ton-That’s opinion.

Clearview’s “bias-free” methods could be perfectly legal, yet the biometric company has been battling with fines and cease-and-desist orders in several countries. The CNIL’s latest decision comes after a two-year investigation initiated in May 2020, when the French authority received complaints from individuals about Clearview facial recognition software. Another warning about biometric profiling came from the Privacy International organization in May 2021.

In December 2021, the CNIL cooperated with European counterparts to share the results of independent investigations, finally ordering Clearview to stop reusing photos available on the internet. Clearview didn’t express any interest in complying, so CNIL’s final decision was to impose the maximum financial penalty against the company: 20 million euros. The company will have to delete the data already collected on French citizens, with a further €100,000 fine for every day of delay after a two-month grace period.

The CNIL notes that it found Clearview AI guilty of several breaches of the General Data Protection Regulation (GDPR). The violations include unlawful processing of personal data (GDPR Article 6), individuals’ rights not being respected (Articles 12, 15, and 17), and lack of cooperation with the data protection authority (Article 31).

The CNIL judgment is the third decision against Clearview’s activities after state authorities recently fined the company for unlawfully collecting biometric data in Italy and Greece. It likely won’t be the last. The New York-based corporation continues to sell the idea that its dystopic facial database can “help communities and their people to live better, safer lives.”