France Says Clearview Broke Privacy Laws, Orders It To Delete Residents' Data
from the suprisingly-not-terrible-use-of-the-GDPR dept
Clearview is again on the receiving end of an order demanding it delete all the local data it scraped from thousands of websites and social media platforms.
Canada led the way in booting the facial recognition company, ordering its exit in February. A government investigation concluded Clearview had broken the country's privacy laws with its web scraping and ordered it to delete all Canadian data.
Australia was next, kicking Clearview out in November. It too concluded (after an investigation) that laws were broken by the country. The United Kingdom followed suit, more or less. It didn't kick Clearview out but threatened it with a $23 million fine and forbade it from processing any more data collected in the UK.
Now, it's France's turn. The GDPR is in play this time, which means this announcement is likely to be followed by similar orders from other members of the European Union. Richard Nieva reports on the latest for BuzzFeed.
Facial recognition company Clearview AI has been hit with another order by a country’s watchdog agency to delete the personal data of its citizens, the latest in a global rebuke by privacy regulators around the world.
On Thursday, France’s Commission Nationale Informatique et Libertés (CNIL) said Clearview had breached Europe’s overarching data protection law, known as GDPR. It gave the company two months to delete the personal information it had collected and stop “unlawful processing” of the data.
Clearview hasn't been actually asked to leave, but considering its business model relies on it breaking local laws, there's little reason for it to stick around. Its CEO has responded with some overdone shrugging, claiming it doesn't matter what France says because it doesn't maintain a local office.
In response to the claims, Clearview AI CEO Hoan Ton-That argued that his company isn’t bound by Europe’s data regulation law. “Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” he said in an emailed statement.
While some of that may be true, it's pretty clear a lot of it isn't. I don't believe Clearview geofences its data-scraping, which means it's certainly still collecting info on European residents. And claiming it has no customers in France or the EU is demonstrably false.
This is from earlier reporting on Clearview by BuzzFeed:
Data reviewed by BuzzFeed News shows that by early 2020, Clearview had made its way across Europe. Italy’s state police, Polizia di Stato, ran more than 130 searches, according to data, though the agency did not respond to a request for comment. A spokesperson for France’s Ministry of the Interior told BuzzFeed News that they had no information on Clearview, despite internal data listing employees associated with the office as having run more than 400 searches.
While it may be technically true it has no customers in the European Union, entities in the union were at least given trial access to Clearview's AI and utilized it. Those are the kind of "activities" that would be "subject to the GDPR." The locals weren't running searches on American citizens. They were running them on residents of their respective countries, meaning there was searchable data collected by Clearview in violation of the GDPR.
At this point, Clearview may no longer be collecting data on Europeans and other countries that have demanded it delete data. But that doesn't mean it's legally in the clear. A belated exit is better than nothing, but no documents have surfaced that show Clearview isn't still gathering data from areas where it's been told to cease operations. All we have are Clearview's assurances, which aren't all that reassuring, considering they're half-truths at best. It still has yet to show it has learned anything from the past 18 months of negative coverage and has never offered anything approaching contrition for its horrific actions and incredibly irresponsible business model.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: facial recognition, france, privacy
Companies: clearview
Reader Comments
Subscribe: RSS
View by: Time | Thread
Is it even possible for them to comply?
I don't see how it would be possible for them to comply with this short of shutting down operations completely and worldwide. (Which wouldn't be a bad result, but that's not what the order actually tells them to do.)
Joe is from Canada, Jane is from the UK and they are on vacation together in Italy. Their vacation photo is posted on random-website-dot-com and gets scraped by a US based company.
That gets really complex really fast even without the added wrinkle that there's no reliable way to determine any of that information from that vacation photo.
[ link to this | view in chronology ]
Re: Is it even possible for them to comply?
This is ultimately the main problem with this type of order, along with "right to be forgotten" and other silliness. They make sense when you're dealing with a legacy physical publisher who only operates within the borders of one location, but they quickly lose relevance and the ability to be adhered to once you're dealing with UGC distributed internationally from different locations.
[ link to this | view in chronology ]
You might want to make one small edit to the article...
Australia was next, kicking Clearview out in November. It too concluded (after an investigation) that laws were broken by the country.
Pretty sure you meant to say laws were broken by the company.
[ link to this | view in chronology ]
Impossible business model
Clearview seems to keep finding itself stuck in a bit of a forked stick. Countries want it to follow local privacy laws by removing citizens' data - which seems impossibly complex to do with the vaguely undifferentiated mass of scraped data they've collected.
But, their business proposition is that they can successfully identify people from images,with minimal false positives. So, an inability to trawl their dataset and remove entries with a really important identifier seems like a big problem with their product. They get to either comply, or admit they suck.
[ link to this | view in chronology ]
When you absolutely positively want to look like you are doing something but don't want to put any effort into it.
[ link to this | view in chronology ]