Italy Fines Clearview AI $22 Million, Orders Data Deleted (techcrunch.com) 62
An anonymous reader quotes a report from TechCrunch: Another European privacy watchdog has sanctioned the controversial facial recognition firm, Clearview AI, which scrapes selfies off the Internet to amass a databased of some 10 billion of faces to power an identity-matching service it sells to law enforcement. Italy's data protection agency today announced a [roughly $22 million] penalty for breaches of EU law -- as well as ordering the controversial company to delete any data on Italians it holds and banning it from any further processing of citizens' facial biometrics. Its investigation was instigated following "complaints and reports," it said, noting that as well as breaches of privacy law it found the company had been tracking Italian citizens and people located in Italy.
"The findings revealed that the personal data held by the company, including biometric and geolocation data, are processed illegally, without an adequate legal basis, which certainly cannot be the legitimate interest of the American company," the Garante said in a press release. Other General Data Protection Regulation (GDPR) breaches it identified included transparency obligations (on account of Clearview not having adequately informed users of what it was doing with their selfies); violations of purpose limitation and having used user data for purposes other than those for which they were published online; and also breaches of data retention rules with no limit on storage. "Clearview AI's activity therefore violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against," the authority also said. CEO Hoan Ton-That said in a statement: "Clearview AI does not have a place of business in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR."
Ton-That added: "We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in Italy, where we do no business, of Clearview AI's technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives."
"The findings revealed that the personal data held by the company, including biometric and geolocation data, are processed illegally, without an adequate legal basis, which certainly cannot be the legitimate interest of the American company," the Garante said in a press release. Other General Data Protection Regulation (GDPR) breaches it identified included transparency obligations (on account of Clearview not having adequately informed users of what it was doing with their selfies); violations of purpose limitation and having used user data for purposes other than those for which they were published online; and also breaches of data retention rules with no limit on storage. "Clearview AI's activity therefore violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against," the authority also said. CEO Hoan Ton-That said in a statement: "Clearview AI does not have a place of business in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR."
Ton-That added: "We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in Italy, where we do no business, of Clearview AI's technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives."
Extraterritoriality (Score:2)
Re: (Score:2)
Sorry but that's wrong.
All information comes with a "how, when and allowed" uses regardless where you are.
I'm quite sure if I start printing copies of works from an American Museum and sell them, I will be called by layers in my own country, that's because even those are from third countries there are laws that must be abide.
If there were no laws applicable in my country, they could still issue a "sanction" against countries where their law can be transposed.
Even more, if it's too criminal, I might face an
Re: (Score:2)
You think you can sue North Koreans or Iranians in US courts?!?
Ooookay. Look, it's obvious that you have absolutely no idea how international law works. The whole "sanction" thing is clearly something you've made up.
Clearview AI may have problems due to EU treaties if they're doing business with other EU countries, but even then that's not entirely clear.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If they are holding data on Italian citizens, or anyone physically in Italy at the time of the photo, then the law does apply.
Re: (Score:2)
"If they are holding data on Italian citizens, or anyone physically in Italy at the time of the photo, then the law does apply."
Site the law that supports this. Common sense says that CAI is bound by Italian law IF the image was copied from a device in Italy. Outside of Italian physical borders Italian law does not supersede other country's laws.
Re: (Score:2)
https://gdpr-info.eu/art-3-gdp... [gdpr-info.eu]
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of
Re: (Score:2)
Re: (Score:2)
It still applies, because the people pictured are Italian citizens, and they are protected by the GDPR, and Italy is thus forced to defend their rights under the GDPR. That Clearview AI does not fear retaliation, because they have no business presence, might be, but they are still violating Italian law.
Italian citizens may be protected by the GDPR, but Clearview does not have possession of Italian citizens.
It has possession of public data which Italian citizens freely, without duress, posted in explicitly public places accessible from anywhere around the world.
The Italy/EU GDPR interpretations mentioned in the article would mean, for example, that it must be illegal to walk around a city, take pictures of "Have you seen me?" missing-persons papers publicly posted on street signs, corners, bodegas, store w
Re: (Score:2)
As US citizen, it is strange to me that European governments are so heavily built on collectivism and shared People's ownership of public spaces rather than individual private ownership
I'm interested in knowing more about your US point of view, here is my take. The paradigm in Europe: persons enjoy rights, businesses have to comply with rules.
There is a (partial) economical collectivism in Europe, in which the State owns a share in a few critical companies (defense, heavy industry) such they can influence some important decisions. Your own art, work or image as an individual belongs to you and whoever reuses that in a business needs to ask permission to the legitimate owner. Publishing th
Re: (Score:2)
Under EU law, people's data is inherently protected.
The problem is enforcement. But this ruling will be copied by the EU and then Clearview won't be able to do business with the second biggest market in the world
Re: (Score:2)
And yes, it is illegal to take photos or video of EU citizens and then use it without their permission. This is of course hard to enforce, and your average tourist taking some photos and videos that happen to have
Re:Extraterritoriality : lawyer for Clearview ? (Score:2)
Sounds like you're a lawyer for clearview with a clear interest at trying to defend the indefensible. They violated the rights of individuals across the planet including here in Canada and we have a judgment here against them. Anyways , you sound like their attorney so whatever you might want to make us swallow is total nonsense. Maybe your next career move is to apply to be a lawyer for Trump.
Re: (Score:2)
Re: (Score:2)
Re: Extraterritoriality (Score:2)
It will as soon as a representative sets their foot in Italy.
But then Italy should also request scrubbing of all derived data too from those pictures.
Re: (Score:2)
Or any country that participates in the EU Arrest Warrant scheme, or any country that has an extradition treaty with Italy.
Re: (Score:2)
They claim to collect data from the open internet, which means they either have partnerships with companies that are covered by GDPR or they accept GDPR when scraping websites based in the EU.
They also claim that they have most of the world in their database and don't exclude Europeans.
I don't think there is any real question as to if GDPR applies, it's only a question of if Italy can recover the money.
It also makes the Clearview product even more toxic, in that any company thinking about becoming a custome
Re: (Score:2)
They claim to collect data from the open internet, which means they either have partnerships with companies that are covered by GDPR or they accept GDPR when scraping websites based in the EU.
Then Italy should go after the companies that allow the data to become available. My issue is allowing extraterritoriality you essentially open up anyone to any law that exist in a country. EU companies could be forced, for example, to turn over data to nonEU countries or face fines even if they don't operate there.
They also claim that they have most of the world in their database and don't exclude Europeans.
It's quite possible it was collected legally by them, although I doubt it since, depending on the situation, they may have gotten it through an illegal action by a supplier.
I don't think there is any real question as to if GDPR applies, it's only a question of if Italy can recover the money.
I think whether it ap
Re: (Score:2)
The central issue is that they are processing European citizen's data. If you process data belonging to European citizens, you are covered by GDPR. If you don't want to be, don't process European citizen's data.
The US does the same thing with currency. Any transaction anywhere in the world done in USD has to comply with US laws, e.g. respecting sanctions. They use extradition to enforce it.
Re: (Score:2)
The central issue is that they are processing European citizen's data. If you process data belonging to European citizens, you are covered by GDPR. If you don't want to be, don't process European citizen's data
That may be the EU's position, but does not mean it is the law elsewhere, and should not apply to a company that obtain EU citizens' data outside of the EU. For example, if an EU citizen access a US web site and provides their data, then the US site is under no obligation to comply with the GDPR since US law doesn't require it and if you support extraterritoriality then by definition the EU citizen is bound by US law. A more extreme example than the GDPR would be in the case of Texas' new abortion law, whi
Re: (Score:2)
Well the US seems to disagree with you there. It tried to extradite a Huawei exec who had never been to the US and wasn't anywhere near the US when the alleged crime happened. She was in Canada at the time and Canada seemed willing to consider the extradition request with a full trial.
GDPR isn't criminal law though so while Clearview staff are not at risk of being arrested or extradited, it makes their product toxic. There have already been fines on police in the EU who used it. Any organization that has or
Re: (Score:2)
Well the US seems to disagree with you there. It tried to extradite a Huawei exec who had never been to the US and wasn't anywhere near the US when the alleged crime happened. She was in Canada at the time and Canada seemed willing to consider the extradition request with a full trial.
I would think the argument was as a senior officer she was responsible for actions the company undertook in the US; which is different than if Huawei had no US presence. If Huawei's US operations broke no US law then she should not be charged or extradited. If they had no US operations then there is no reason to charge her either, and if the US were to they would be wrong, IMHO. Their problem was they were operating in the US. Is it not reasonable to hold senior executives responsible, even in civil cases,
Also a violation of the Canadian Constitution (Score:2)
Unlike the USA, Canada grants every Canadian Citizen the Right to Privacy.
In the actual Constitution, not some separate list of amendments.
And this includes what Clearview is doing.
Re: (Score:2)
Unlike the USA, Canada grants every Canadian Citizen the Right to Privacy.
In the actual Constitution, not some separate list of amendments.
And this includes what Clearview is doing.
Not really. The Constitution grants every Canadian the right to "be free of unreasonable search or seizure", however it does not mention privacy rights anywhere.
In Hunter et al. v. Southam Inc [canlii.org] the Supreme Court ruled that the right to be free of unreasonable search and seizure is in fact a privacy right - and that it exists "to protect individuals from unjustified state intrusions upon their privacy", and it established that search and seizure authorization must be established prior to a search, not ex post
Privacy doesn't exist in PUBLIC places (Score:2)
How exactly would you enforce your privacy without violating the rights of the other people in the public space?
Re: (Score:2)
No, that was the replacement of the War Powers Act that we used to use against terrorists like the Russia/CPC financed terrorist truckers.
Re: (Score:2)
You have no idea what I used to do in the Canadian Army.
They are who they are.
Re: (Score:2)
Lol, most of the EU is run by Socialist Democracies, as is Northern Europe.
Get used to it, the water's fine.
10 Billion faces (Score:2)
How can they have 10 B faces? Is that a typo or is there something unique in their data?
Re: 10 Billion faces (Score:2)
Re: (Score:2)
Re: (Score:2)
The word images has been left out between billion and of.
Given the sheer amount of mass narcissism in the world, this suddenly doesn't sound like a large number.
At all.
Re: (Score:2)
... or is there something unique in their data?
On the contrary, I expect the faces to not map uniquely to identities.
What's good for the goose.. (Score:2)
"We only collect public data from the open internet and comply with all standards of privacy and law."
Ever wonder what it would be like if CEOs like this, were followed? I'm talking FOLLOW. All day. Every day. Everywhere they go. Everyone they meet with. Every public purchase they make. Every food they eat. Every driving habit they have.
"Oh, don't mind me...I'm only here collecting 'public' data, to sell to whoever buys it. NBD, right?"
"Clearview AI does not have .. business in Italy (Score:2)
.And with that attitude it never will.
real world use case (Score:2)
Re: (Score:2)
I would guess that none are very close, but that some are, indeed, plumbers.
Re: (Score:2)
Re: (Score:2)
At least with my experiences in the EU, your biometric data is never stored anywhere other than in your identity documents. E.g. if you need replacement documents, you have to get photographed or fingerprinted again.
Re: (Score:2)
Re: (Score:2)
When I renewed by UK driving licence a few years back while we were still in the EU, I was able to select the option to use the photo from my passport. So they do keep it on a database somewhere.
privacy is not a boolean (Score:2)
Re: (Score:1)
according to what you've written, privacy IS a boolean:
you just described a set of features that privacy has, and set theory is a boolean algebra. QED.
Step one : (Score:2)
First of all the Charter of rights is the first chapter of Canada's constitution.
A special office was created to insure people's rights to privacy.
For Clearview , here in Quebec we also created a separate office for privacy issues,. :
Here's what the Federal commissionner had to say
The legally binding provincial orders require Clearview to:
Stop offering its facial recognition services that have been the subject of the investigation in the three provinces;
Heart Broken (Score:2)