CLEARVIEW AI – Violation Found (France, 2021)

The CNIL received several complaints from individuals and NGOs on the way Clearview AI's processing of biometric data. The company conducts facial recognition AI trainings for law enforcement purposes mainly on a large database from public web sources, including social media. The CNIL started an EU-wide investigation in close collaboration with other competent EU DPAs. The CNIL's investigations revealed two main breaches of the GDPR. First, Clearview AI was illegally processing personal data. Indeed, as stated in Article 6 GDPR, a legal basis is required to process personal data. The company had no legitimate interest to collect and process such sensitive data and therefore had to rely on a consent-based approach (Article 6(1)(b) GDPR). Since the the company did not appear to seek any consent from individuals the processing operations were deemed unlawful. Second, Clearview AI had been unlawfully hindering individuals from exercising their rights. On the one hand, insufficient information and accessibility regarding procedures were provided, thus in breach of Article 12 GDPR. On the other hand, the company had undermined individuals rights of access (Article 15 GDPR) and right to be forgotten (Article 17 GDPR) by: * restricting access to data collected only in the 12 previous months; * authorizing right of access only twice a year; * answering requests only after several attempts from individuals; * not effectively answering requests by providing incorrect and incomplete replies. The CNIL sent Clearview a letter of formal notice asserting that Clearview must facilitate individuals rights exercising and stop processing data without relevant legal basis within a two months period, as well as delete any personal data collected previously.