France Says Clearview Broke Privacy Laws, Orders It To Delete Residents' Data

from the suprisingly-not-terrible-use-of-the-GDPR dept

Clearview is again on the receiving end of an order demanding it delete all the local data it scraped from thousands of websites and social media platforms.

Canada led the way in booting the facial recognition company, ordering its exit in February. A government investigation concluded Clearview had broken the country's privacy laws with its web scraping and ordered it to delete all Canadian data.

Australia was next, kicking Clearview out in November. It too concluded (after an investigation) that laws were broken by the country. The United Kingdom followed suit, more or less. It didn't kick Clearview out but threatened it with a $23 million fine and forbade it from processing any more data collected in the UK.

Now, it's France's turn. The GDPR is in play this time, which means this announcement is likely to be followed by similar orders from other members of the European Union. Richard Nieva reports on the latest for BuzzFeed.

Facial recognition company Clearview AI has been hit with another order by a country’s watchdog agency to delete the personal data of its citizens, the latest in a global rebuke by privacy regulators around the world.

On Thursday, France’s Commission Nationale Informatique et Libertés (CNIL) said Clearview had breached Europe’s overarching data protection law, known as GDPR. It gave the company two months to delete the personal information it had collected and stop “unlawful processing” of the data.

Clearview hasn't been actually asked to leave, but considering its business model relies on it breaking local laws, there's little reason for it to stick around. Its CEO has responded with some overdone shrugging, claiming it doesn't matter what France says because it doesn't maintain a local office.

In response to the claims, Clearview AI CEO Hoan Ton-That argued that his company isn’t bound by Europe’s data regulation law. “Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” he said in an emailed statement.

While some of that may be true, it's pretty clear a lot of it isn't. I don't believe Clearview geofences its data-scraping, which means it's certainly still collecting info on European residents. And claiming it has no customers in France or the EU is demonstrably false.

This is from earlier reporting on Clearview by BuzzFeed:

Data reviewed by BuzzFeed News shows that by early 2020, Clearview had made its way across Europe. Italy’s state police, Polizia di Stato, ran more than 130 searches, according to data, though the agency did not respond to a request for comment. A spokesperson for France’s Ministry of the Interior told BuzzFeed News that they had no information on Clearview, despite internal data listing employees associated with the office as having run more than 400 searches.

While it may be technically true it has no customers in the European Union, entities in the union were at least given trial access to Clearview's AI and utilized it. Those are the kind of "activities" that would be "subject to the GDPR." The locals weren't running searches on American citizens. They were running them on residents of their respective countries, meaning there was searchable data collected by Clearview in violation of the GDPR.

At this point, Clearview may no longer be collecting data on Europeans and other countries that have demanded it delete data. But that doesn't mean it's legally in the clear. A belated exit is better than nothing, but no documents have surfaced that show Clearview isn't still gathering data from areas where it's been told to cease operations. All we have are Clearview's assurances, which aren't all that reassuring, considering they're half-truths at best. It still has yet to show it has learned anything from the past 18 months of negative coverage and has never offered anything approaching contrition for its horrific actions and incredibly irresponsible business model.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: facial recognition, france, privacy
Companies: clearview