Clearview refuses to pay a CNIL fine
It’s not easy to charge a foreign company… The CNIL has experienced this with the…
It’s not easy to charge a foreign company… The CNIL has experienced this with the American company Clearview, which specializes in facial recognition.
The French personal data policeman took the decision in April to demand a fine of 5.2 million euros from the American group for not having paid the fine of 20 million euros. inflicted in October, or changed its photo collection practices.
Clearview sells access to its database, which makes it possible to find a person by their photo. It “sucks up photographs from a large number of websites, including social networks”, notes the CNIL. The company offers this service to law enforcement agencies in the United States and several other countries.
In addition to the fine, the court had ordered the company not to proceed, without a legal basis, to the collection and processing of data from people in France, and to delete the data of these people if necessary, under penalty of a fine of 100,000 euros per day, after a period of two months. “The company has not sent any proof of compliance within this period”, explains the CNIL.
On the side of Clearview, we defend ourselves by recalling that the company “has no establishment in France or in the EU, has no customers in France or in the EU and does not undertake activities that would subject him to GDPR. […]. We only collect public data from the open internet and follow all privacy and legal standards. My intentions and those of my company have always been to help communities and their inhabitants to live better and safer”, explains its general manager, Hoan Ton-That.
Which, according to legal experts, does not hold. “Just because you can access data publicly doesn’t mean you can use data as you wish. The principle of the purpose of the processing is the very basis of the GDPR”, answers Yaël Cohen-Hadria, lawyer at EY. “The GDPR applies to foreign companies as soon as they collect personal data or have servers in the EU,” adds Alan Walter, from Walter Billet Avocats.
Already in October, the New York company had made it known that it was not ready to obey these injunctions. “There is no way to determine if a person is of French nationality solely from a public photo on the Internet, and it is therefore impossible to delete the data of French residents”, she had justified herself.
Get closer to the FTC
What can the CNIL do? The institution says it is continuing to approach its American counterpart, the Federal Trade Commission (FTC), to enforce the decision. The Ministry of Economy and Finance is moving in the same direction.
In the lawyers’ opinion, she could go to US or even French courts to declare the company’s website illegal. “This is not the first time that we have observed this type of problem: we have been waiting for years for an agreement which proves that when we exchange data with the United States, there is an execution of procedures”, explains Yaël Cohen-Hadria.
The CNIL considers that a blocking of the site is not appropriate since “it is simply intended to promote the facial recognition tool that it markets and that it is foreign to the way in which the tool “.
The American start-up, financed in particular by Peter Thiel, was also sanctioned in 2022 in the United Kingdom and Italy, recalls AFP. It agreed last year to no longer sell its biometric databases to companies in the United States, as requested by civil rights groups.