Clearview AI – €20,000,000 Fine (France, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Clearview AI was fined EUR 20 million by the French data protection authority for collecting and using facial images from the internet without proper consent. This case is significant because it shows that companies outside the EU must still comply with EU privacy laws if they process data of EU residents. Businesses using biometric data should ensure they have clear consent and data protection measures in place.
What happened
Clearview AI collected and processed facial images from online sources without obtaining proper consent from EU residents.
Who was affected
Individuals in the EU whose facial images were collected and processed by Clearview AI's tool.
What the authority found
The French authority ruled that Clearview AI violated multiple GDPR provisions by processing personal data without a valid legal basis and failing to respect individuals' rights.
Why this matters
This ruling highlights that even companies based outside the EU must comply with GDPR when handling EU residents' data. It serves as a warning to businesses using biometric data to ensure they have explicit consent and robust data protection practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller operates a facial recognition tool (the tool) to identify data subjects using pictures and video's posted online (online content). The controller is established in the United States and has no establishment in the European Union (EU), but processes personal data of EU data subjects. Specifically, it collects online content in which faces appear, including faces of minors. The tool indexes freely accessible web pages and social media platforms. After the indexing, the tool extracts all images with faces of data subjects. Based on these images, the tool calculates a mathematical hash for each data subject, which is in turn based on a unique biometric template of the face in the picture. The mathematical hash is used to make data subjects searchable in the database. The controller sells access to its database to third parties. These third parties can upload a picture of a face to start a search in order to identify data subject, after which the tool creates a mathematical hash for this uploaded picture. This new hash is compared with existing hashes in the database. When the hashes are similar, the tool collects all the images with the same hash, including a reference to the original source of each picture. This process makes it possible to identify data subjects. In its privacy policy, the controller stated that data subjects could only exercise their right of access twice a year. The controller did not mention a retention period for the personal data. The DPA received several complaints from data subjects regarding the rights of access (Article 15 GDPR) and erasure (Article 17 GDPR) between May and December 2020. One data subject requested a third party to make an access request on her behalf. The controller acknowledged that it had received this request and invited the data subject to use an online platform to exercise her right of access, but failed to answer follow up requests on multiple occasions. When answering to the last request, the contr
Related Enforcement Actions (1)
Other enforcement actions involving Clearview AI in FR
Details
Fine Date
17 October 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€20,000,000
GDPRhub ID
gdprhub-5353About this data
Cite as: Cookie Fines. Clearview AI - France (2022). Retrieved from cookiefines.eu
Last updated: