Clearview AI came under fire for scraping billions of selfies off the Internet to sell facial recognition services to law enforcement. France’s privacy watchdog said that the company has breached Europe’s General Data Protection Regulation (GDPR), and France has now ordered Clearview AI to delete its database.
So far, Clearview AI has reportedly gathered around 10 billion selfies scraped from Facebook, Instagram, Twitter, YouTube, and Venmo. Combining selfies with facial recognition, the company has allegedly been selling the results to law enforcement organizations with no governmental oversight. It raised major privacy concerns in Europe earlier this year, and CNIL (Commission Nationale de l’Informatique et des Libertés) has now issued an official order for Clearview AI to delete the database.
According to CNIL’s announcement, the organization has been receiving complaints from individuals about Clearview AI’s facial recognition software from May 2020 and opened an investigation. In May 2021, the Privacy International Association also alerted CNIL about Clearview AI’s practices.
Upon the investigations, CNIL revealed two breaches of the GDPR:
- Unlawful processing of personal data (breach of article 6 of the GDPR) because their collection and use of biometric data is carried out without a legal basis;
- The lack of satisfactory and effective consideration of the rights of individuals, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).
The president of CNIL gave Clearview AI two months to stop the “unlawful processing” and to delete the data. It’s important to note, though, that this only applies to data processed on French territories. CNIL estimates that this includes the data of “several tens of millions of Internet users.” Still, it’s likely that more similar orders will follow from other European countries, judging from European campaigners’ reaction from earlier this year.