CLEARVIEW AI, ordered to delete photos by the French DPA after investigation revealed unlawful collection and processing of photos from the Internet.
CLEARVIEW AI, and the facial recognition software the company produces were first reported to the CNIL in May of 2020. This led to an investigation which uncovered two GDPR infractions; the unlawful processing of personal data, and the lack of sufficient consideration of the rights of the individual, particularly their right to request access to their data. As a result, the CNIL has ordered CLEARVIEW AI to cease the collection and use of data from people on French territory without legal basis, and to facilitate access to data by data subjects. In addition CLEARVIEW AI was ordered to comply with requests to have data erased. The CNIL has given the company two months to comply with these requests sent in their formal notice.
CLEARVIEW AI developed a facial recognition system which uses a database of photos which the company had neither consent, nor legal basis to process.
CLEARVIEW AI developed a facial recognition software of which the database is built on photographs and videos extracted from the internet’s publicly accessible media. The company does not receive consent of the data subjects whose photos are being used to feed its software. There is also no legal basis for the processing of this personal data. As a result the company was found to be in breach of Article 6 of the GDPR. The collection of data of tens of millions of individuals in France territory without legitimate interest is also considered particularly intrusive.
“It should be noted that the fact that personal data is publicly available does not mean that it can be freely used. The GDPR applies to publicly available personal data as well, therefore a basis of Article 6 is required in order to process it lawfully. If this basis is legitimate interest, a Legitimate Interest Assessment needs to be performed” comments Cristina Contero Almagro, Partner in Aphaia
CNIL also found CLEARVIEW AI in breach of articles 12, 15 and 17 of the GDPR as individuals found difficulty in exercising their rights with the company.
The many complaints received by the CNIL pointed to an issue with individuals’ rights being infringed upon by the CLEARVIEW AI, particularly the right of access for data subjects and the right to erasure. The company was found to have been limiting the exercise of the right of access to only data collected during the 12 month period preceding the request. In addition individuals were only being allowed to exercise this ride twice a year by CLEARVIEW AI, and without justification. The company was found to only respond to certain requests after an excessive number of requests that come from the same person. When requests were made to exercise the right to erasure, it was reported that the company either did not respond at all, or provided incomplete responses. CLEARVIEW AI has since been put on notice by CNIL to come into compliance, cease unlawful processing and delete all data processed unlawfully within a two month period.