AI company Clearview received the maximum fine imposed by CNIL, totalling 20 million euros, after a formal notice was left unaddressed.
A formal notice from the CNIL giving Clearview AI two months to comply with various injunctions in November 2021 was left unattended, the Authority has decided to impose a maximum fine of €20 million according to article 83 of the GDPR. The formal notice asked the company to cease the collection and use of personal data of persons on French territory without a legal basis, to comply with requests for erasure, and to delete the data already collected within a two month period. This injunction had an additional penalty of €100,000 per day of delay. Notwithstanding, this formal notice remained unattended, resulting in the CNIL imposing the maximum fine possible on Clearview AI.
CNIL’s investigation revealed that Clearview AI was unlawfully processing personal data of individuals.
Clearview AI‘s processing of individuals’ personal data was found to be unlawful because it lacked a legal basis. A legal basis for the collection and processing of personal data is a requirement under Article 6 of the GDPR. Clearview AI had not gathered consent from the data subjects and they did not have a legitimate interest in collecting or using this data either. The company’s processes were considered intrusive, as Clearview scraped the Internet retrieving images of millions of Internet users in France. While the media collected by Clearview was accessible on various websites including individuals’ social media accounts, having their personal images processed by a company to supply facial recognition services to be used by law enforcement was not a reasonable expectation of the individuals, when they uploaded their photos and videos.
CNIL also found that Clearview AI made it difficult for data subjects to exercise their rights of access.
The investigation by the supervisory authority revealed that Clearview AI limited the exercise of data subject’s right to access and erasure to only data collected during the 12 months preceding the request. In addition the company restricted the exercise of this right to only twice a year without justification for this rule. It was also found that the company only responded to requests after receiving several requests from the same person. Moreover, when Clearview AI did respond to requests for access and erasure, the responses were not effective. The company would either only partially respond, or not respond at all. This violates article 12, 15, and 17 of the GDPR.
Clearview AI partially replied to the investigation form received from CNIL, but did not respond to the formal notice.
Although Clearview AI did partially respond to the initial investigation form that CNIL sent to the company, there was no response to the formal notice issued in November 2021. According to CNIL, Clearview AI failed to cooperate throughout the procedure. This is a breach of Article 31 of the GDPR, which states that controllers, processors and, where applicable, their representatives, “shall cooperate, on request, with the supervisory authority in the performance of its tasks.” During the investigation, Clearview AI cooperated with other European supervisory authorities, all of which have the ability to act on their own territories, as the company has no established headquarters in Europe. Various European supervisory authorities have already taken action against the company and its unlawful practices.