Here’s how the French data protection regulator describes controversial facial recognition service Clearview AI, in its own words, in clear and plain English:
CLEARVIEW AI collects photographs from a wide range of websites, including social networks, and sells access to its database of images of people through a search engine in which an individual can be searched using a photograph. The company offers this service to law enforcement authorities. Facial recognition technology is used to query the search engine and find an individual based on [their] photograph.
The French regulator we are referring to here is officially known as the CNIL, short for Commission Nationale de l’Informatique et des Libertés, a phrase that needs no translation, even though English is, historically at least, a Germanic and not a Romance language.
Back in October 2022, we reported that CNIL had fined Clearview AI €20,000,000 for deploying its image scraping technology in France, arguing (convicingly, in our opinion) that constructing data templates for recognising individials amounted to collecting biometric data, and that biometric data of this sort is unarguably PII, or personally identifiable information:
Facial recognition technology is used to query the search engine and find a person based on their photograph. In order to do so, the company builds a “biometric template”, i.e. a digital representation of a person’s physical characteristics (the face in this case). These biometric data are particularly sensitive, especially because they are linked to our physical identity (what we are) and enable us to identify ourselves in a unique way.
The vast majority of people whose images are collected into the search engine are unaware of this feature.
No consent, no fair, concluded CNIL.
Not just collection, but concealment, too
Worse still, CNIL castigated Clearview for trying to cling onto the very data it shouldn’t have collected in the first place.
The regulator ruled that Clearview made it unacceptably difficult for French people to exercise their rights not only to request full details of PII collected about them, but also to have any or all of that data deleted if they wanted.
CNIL determined that Clearview placed artificial restrictions on letting individuals get at their own data, including: by refusing to delete data collected more than a year earlier; by allowing people to request their data only twice a year; and by “only responding to certain requests after an excessive number of requests from the same person.”
CNIL even summarised these problems in a neat, English-language infographic:
Penalties added to penalty
As well as ordering Clearview to delete all existing data on Frech residents, and to stop collecting data in future, CNIL noted back in 2022 that it had already tried to engage with the face-scraping company but had been ignored, and had therefore run out of patience:
Following a formal notice which remained unaddressed, the CNIL imposed a penalty of 20 million Euros and ordered CLEARVIEW AI to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected.
Apparently, Clearview has still made no effort to comply with the French regulator’s ruling, and the regulator has yet again decided it has had enough.
Last week, CNIL invoked a “thou shalt not ignore us this time” clause in its previous settlement, allowing for fines of up to €100,000 for every day that the company refused to comply, stating that:
CLEARVIEW AI had two months to comply with the order and justify compliance to the CNIL. However, the company did not send any proof of compliance within this time limit.
On 13 April 2023, [CNIL] considered that the company had not complied with the order and consequently imposed an overdue penalty payment of €5,200,000.
What next?
We can’t help but wonder what’s going to happen next.
If you were {Queen, King, President, Supreme Wizard, Glorious Leader, Chief Judge, Lead Arbiter, High Commissioner of Privacy}, and could fix this issue with a {wave of your wand, stroke of your pen, shake of your sceptre, Jedi mind-trick}…
…how would you resolve this stand-off?
William A. Wheatley
How would I resolve this stand-off? “Off with their heads.”
Paul Ducklin
Just to be clear… you can assume you have a sceptre, but not a sword!
Anonymous
We need to instate the corporate death penalty.
Paul Ducklin
In many countries, I think that companies can be forced to stop trading (insolvency springs to mind). Not sure how you manage that between different jurisdictions…
Pete
I guess, a sceptre can achieve similar results to a sword with enough patience.
Eddie Stallard
Truely the fresh way
Ralph
Kind of surprising that a company like this would not care about legal issues of this scale… but I guess I shouldn’t be surprised by anything big tech companies do.
Also I think a Jedi mind-trick is likely the best way to resolve this. Unless Clearview AI’s president is a Toydarian.
SM
Very simple. Classify the company as a criminal organisation (since they are so blatantly ignoring the law). Get an interpol order to seize their bank accounts and arrest all representatives of the company.
Strangely, this is all done very easily these days with anyone who disagrees with government doctrines on other issues. If they don’t do it, my conclusion is that CNIL just wants do be seen doing something without actually doing anything because the illegal activities of the company are condoned by the government. After all, all EU governments love to keep an eye on their citizens…
Paul Ducklin
There are rather important differences between regulations (and how they are enforced) and laws (and how criminal charges are brought for violating them).
You can be in breach of regulations, you can be fined, and you can pay that fine… without actually getting a criminal conviction. (A well-known example in the UK involves coronavirus lockdown regulations and someone who was a senior politician at the time. A lot of FTC and SEC settlements in the US work that way, too. You pay a penalty or a “settlement” that amounts to a fine in common speech, but not in legal terms.)
So I don’t think an Interpol arrest warrant could be issued at this point, whether you might consider it appropriate or not.
Any lawyers care to comment? (Unofficially, of course!)
Pete
Could it be criminal to not pay the fines? (Not a lawyer).
Larry S Couch
The officers of Clearview need to be personally jailed until the company obeys.
Richard P
… and displayed in a “Wanted” poster all over the Internet.
Paul Ducklin
If they were already in jail, wouldn’t a “Wanted” poster be unnecessary?
Kurt S
Declare “anarchy Rules” and let a contract.
Wilbur
Declare their customers to be “co-conspirators” and subject them to the same fine – I think lawyers call that “jointly and severally” although I am not one. Then go after every customer that can be identified, including police or any other government agencies. Shut down their customer base and they will (probably) take notice.
Although I suspect SM (above) may have a point – I wouldn’t be surprised if government agencies all over the world are falling all over themselves trying to access this data.
Bart Knutsen
This sounds like the French have improved upon the Sophos technology, RAPIL (Recognition and Analysis of Potentially Intruding Lifeforms).
In the early days of April 2008, Vanja S announced the release of RAPIL – whereby, people of ill repute could be identified by common characteristics – By understanding these traits, and having the webcam ‘look’ at the user – RAPIL could pro-actively lock your device before any malicious activity could even be performed.
Amazing stuff!! There where limitations – you could bypass the RAPIL Security by wearing a Groucho Mask, or even a French Beret and striped t-shirt
Perhaps this is all that is required for the French citizens – to all wear berets and striped t-shirts to avoid detection by CNIL
NB: RAPIL is from a Sophos April Fools Day post in 2008
https://nakedsecurity.sophos.com/2008/04/01/rapil-a-slap-in-the-face-for-hackers-and-virus-writers/
Markymark
What’s being done in the UK to prevent this kind of privacy infingement one wonders?
Paul Ducklin
As mentioned in our earlier article (link above), Oz and the UK already did a sort of joint investigation and issued “cease and desist” (and delete your data) notices. Quite how (or if) this is being enforced I don’t know…
…could be the kind of thing that Private Eye might look into :-)
Anonymous Coward
The way to deal with Clearview AI is to hack their database and delete everything. Then hack their bank accounts, and empty them. And honestly, it needn’t be the CNIL that do it. That’ll learn ’em!
But in all seriousness, I recommend that the next move should be to engage with Max Schrems and have him advise. He has an excellent track record of dealing with the privacy issues caused by US based companies from within a European legal structure.
Short of ruffling diplomatic feathers, Europe and the US will have to resolve this via legal recourse. That might mean passing more laws from within Europe, in the same way that the US passed the SCA and CLOUD acts.
My 2c.
Pete
Schrems is only calling European courts, which then issue fines or tell companies to stop doing something. What makes you think, that Clearview cares about this if it doesn’t care about other European fines?
John Harding
I like the question – goes much deeper than Clearview in that this is a significant issue.
The fine is a debt owed by the company therefore raise proceedings for recovery in the country/s where Clearview is registered.
Create additional laws which render failure to comply outwith the appeal period criminal. Making the offence criminal could perhaps lead to pursuing for the proceeds of crime – i.e. the whole company and it assets (the database and software).
Take proceedings against any company or organisation using such data that operate within France / EU. Fine them too.
Approach the government of where the Clearview are registered and declare that country does not comply with aquiline requirement under GDPR. Might be a bit of cutting off your nose to spite your face but does get attention – even in the US!
Mahhn
As they work for shadow governments and crime bosses, nothing will happen to any of them. The company ‘may’ rebrand; remember private terrorist contractor BlackWater in the US, they are still around. Couple name changes and it all fades from the news. I do wish there was a better outcome, but reality hits really hard…
Paul Dodd
The EU GDPR covers the whole of the EU, not only France. Clearview AI is dead.
James McLaren
“I fart in your general direction! Your mother was a hamster and your father smelt of elderberries!!”