In October 2022, French data privacy regulator CNIL fined Clearview AI €20 million for its scraping of social media profiles and public sources for biometric image fodder. The controversial facial recognition outfit was also ordered to stop this sort of data collection and delete the data it had already collected, within two months of the decision. After failing to pay the data protection fine or provide any proof of compliance, CNIL is now issuing an overdue payment penalty in the amount of €5.2 million.
Facial recognition firm ignores European enforcement actions, claims GDPR doesn’t apply
Clearview AI has stirred up a great deal of controversy with the way in which it populates its facial recognition system. The company has been caught vacuuming up publicly posted pictures from all over the world, for a purpose that users never intended (and did not grant consent for): law enforcement databases. At minimum, this behavior has violated social media API use policies and has gotten the company banned from many of the biggest names at this point. Some countries have also shown Clearview AI the door entirely.
The facial recognition firm was warned that it could face additional fines of €100,000 per day if it did not comply with CNIL’s prior orders. But Clearview has been dodging this sort of trouble in Europe since 2021, and there are no indications it intends to pay any data protection fines that the EU bloc as a whole hits it with. CNIL has said that it is in communication with the US Federal Trade Commission (FTC) about ways to compel the Manhattan-based company to pay its penalties.
France has not gone as far as to bar Clearview from offering its facial recognition services in the country, allowing it to keep its local website up, but the company appears to have been voluntarily steering clear of clients in the EU for several years now in a bid to avoid regulation. The company appears to do the vast majority of its business with US law enforcement agencies, and in the past some major retail chains in the country. In June 2020 the European Data Protection Board warned the company that its product was likely to be found illegal to use in the bloc.
Clearview AI has essentially issued boilerplate responses for several years when it is hit with data protection fines or other legal troubles in the EU, saying that it does not offer its facial recognition product in the region and that its lack of physical presence there means it is not subject to the terms of the General Data Protection Regulation (GDPR). The rules do make clear that anyone processing the personal data of EU residents, in this case biometric data, is subject to regulation regardless.
While Clearview may well never end up having to pay these data protection fines, the penalties do serve some amount of purpose in providing an ever-growing barrier to setting up shop in the EU. They also serve as a warning to similar facial recognition firms that would try to offer a similar product in the region.
Data protection fines mount, but may go unpaid unless US government gets involved
Clearview AI has also received €20 million data protection fines from Italy and Greece (and €9 million from the UK) over its facial recognition scraping, the maximum amount that the GDPR allows for if 4% of the company’s annual turnover does not reach that amount. The company claims it has been valued at over US$100 million, but revenue estimates from various sources put its annual turnover at about $1 to $5 million.
In the past, the company has tried to defend itself with claims that it has scraped so many billions of images from around the world it is not reasonable to identify subjects from Europe or individual nations. This defense has been undercut by Clearview’s prior sales pitches of its facial recognition product in the region, however. Local police in Sweden made use of the system in the past, something that they were fined for by the national data protection authority. A list of Clearview’s clients leaked to BuzzFeed in 2020 indicated that law enforcement in about a dozen additional European nations had at least had contact with the company and may have used the software on a trial basis.
Clearview managed to raise $30 million from investors in 2021 in spite of its assorted difficulties, but the embattled facial recognition firm could very well wind up dissolved if it were forced to pay its data protection fines. This is far from the only recent money trouble it has had, with a 2022 lawsuit settlement establishing that it cannot sell its database to private entities in the US (in addition to being ordered to pay a total of $300,000). Law enforcement agencies in certain cities, such as Los Angeles, have also voluntarily banned the service after questions about how personnel were using it emerged.