CNIL fined Clearview AI with €20 Million for processing data without legal basis and orders to delete data already collected.
Clearview AI is an US FacialRecognition company, providing software to companies, law enforcement, universities, and individuals.
The company’s algorithm matches faces to a database of more than 20 billion images indexed from the Internet, including socialmedia applications. After the investigations carried out by the CNIL, the DPA found several breaches of the GDPR:
– unlawful processing of personal data (breach of article 6) because the collection and use of biometric data are carried out without a legal basis;
– the failure to take into account the rights of individuals in a effective and satisfactory way, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).
Throughout the procedure, CLEARVIEW AI failed to cooperate with the CNIL. Indeed, the company only replied very partially to the investigation form that was sent to it and did not provide any response to the formal notice issued by the Chair of the CNIL on 26 November 2021. This also resulted in a breach of cooperating with the DPA.