Challenge against Clearview AI in Europe
This legal challenge relates to complaints filed with 5 European data protection authorities against Clearview AI, Inc. ("Clearview"), a facial recognition technology company building a gigantic database of 10 billion + faces. All 5 authorities have now found Clearview's practices unlawful, imposed fines on the company, and/or ordered it to delete and stop processing data. Clearview has appealed the UK fine, and is subject to an extra penalty fine in France for failing to comply with the order.
Information Commissioner's Office (ICO) (UK)
Commission Nationale de l'Informatique et des Libertés (CNIL) (France)
Garante per la protezione dei dati personali (Italy)
Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (Hellenic Data Protection Authority) (Greece)
Datenschutzbehörde (Austria)
On 27 May 2021, Privacy International (PI) filed complaints against Clearview AI with the UK and French data protection authorities (ICO and CNIL). Simultaneously, similar complaints were filed by Hermes Centre for Transparency and Digital Human Rights in Italy, Homo Digitalis in Greece, and noyb - the European Center for Digital Rights in Austria.
Clearview is a facial recognition company claiming to have built "the largest known database of 3+ billion facial images". It uses an "automated image scraper" to search the web and collect any images that it detects as containing human faces. All these faces are then run through its proprietary facial software, to build a gigantic biometrics database. Clearview then sells access to this database to private companies and law enforcement authorities.
Various actions have been launched across the globe against Clearview's practices, in countries with biometrics or data protection regulation. Our European complaints are based on various "data subject access requests", as well as PI's technical and legal analyses of Clearview's practices. After various isolated complaints were filed by individuals against Clearview, and isolated enforcement actions taken by the Hamburg data protection authority and the Swedish data protection authority, the complaints seek a coordinated approach across Europe to tackle an inherently cross-border issue. The regulators have 3 months to respond after filing of the complaints.
The complaints argue that:
- The Regulation (EU) 2016/679 (General Data Protection Regulation) ("GDPR") applies to Clearview's collection and biometric processing of faces found online, as these consist in mass processing of European residents' personal data;
- Clearview processes both "regular" personal data (Article 4(1) GDPR) and sensitive or "special categories" data (Article 9(1) GDPR);
- Clearview has no lawful basis for collecting and processing any of this data. In particular, it does not obtain data subjects' consent and such practices cannot fall under its "legitimate interests". In addition, the processing of special categories data cannot be considered to be of data that has been "manifestly made public" by the data subject (Article 9(2)(e) GDPR);
- Clearview contravenes a number of other GDPR principles, including the principles of transparency (Article 5(1)(a) GDPR) and purpose limitation (Article 5(1)(b) GDPR);
- The use of Clearview's tool by law enforcement authorities does not fulfil the conditions for law enforcement processing required by the Law Enforcement Directive (2016/680) as transposed in EU member states' national laws. The use of such an invasive, privately developed facial recognition database enabling social media intelligence by law enforcement would not be based on law, nor would it be necessary and proportionate.
The complaint filed with the ICO in the UK makes the same arguments, relying on the UK GDPR and the Data Protection Act 2018 instead.
Clearview's technology and its use further the very harms that European data protection legislation was designed to remedy. PI therefore calls on the regulators to take coordinated enforcement action in order to protect individuals from these highly invasive and dangerous practices.
Updates
On 29 November 2021, the UK's ICO announced its provisional intent to impose a potential fine of just over £17 million on Clearview, finding a number of breaches of the UK GDPR. On 23 May 2022, the ICO issued its final decision, imposing a fine of £7,552,800 on the company and ordering it to delete and stop further processing of UK residents' data. Clearview appealed the ICO's decision to the First-Tier (Information Rights) Tribunal, who on 17 October 2023 upheld Clearview's appeal and quashed the ICO's fine. The ICO is seeking permission to appeal, considering that "the Tribunal incorrectly interpreted the law when finding Clearview’s processing fell outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement agencies. The Commissioner's view is that Clearview itself was not processing for foreign law enforcement purposes and should not be shielded from the scope of UK law on that basis."
On 16 December 2021, France's CNIL found Clearview's data processing illegal, ordered it to stop this processing and delete data within 2 months. Failure to comply with the order may lead the CNIL to issue a fine.
On 10 February 2022, Italy's Garante also found Clearview's data processing illegal, and imposed a €20 million (the maximum fine amount under the EU GDPR) fine on the company.
On 13 July 2022, Greece's Hellenic data protection authority also fined the company €20 million, the highest fine ever imposed by the Greek DPA, and ordered it to delete and stop collecting data of data subjects located in Greece.
On 20 October 2022, France's CNIL fined the company €20 million as it had failed to comply with the order from 16 December 2021. On 10 May 2023, the CNIL imposed a further penalty fine of €5,200,000 for failing to comply with the 2021 order.
On 10 May 2023, Austria's DSB found Clearview's use of data illegal, but did not issue a fine nor a general ban (although it said it might do so later on).