France Fines Clearview AI Maximum Possible For GDPR Breaches (techcrunch.com) 38
Clearview AI, the controversial facial recognition firm that scrapes selfies and other personal data off the Internet without consent to feed an AI-powered identity-matching service it sells to law enforcement and others, has been hit with another fine in Europe. From a report: This one comes after it failed to respond to an order last year from the CNIL, France's privacy watchdog, to stop its unlawful processing of French citizens' information and delete their data. Clearview responded to that order by, well, ghosting the regulator -- thereby adding a third GDPR breach (non-cooperation with the regulator) to its earlier tally.
Here's the CNIL's summary of Clearview's breaches:
Unlawful processing of personal data (breach of Article 6 of the GDPR)
Individuals' rights not respected (Articles 12, 15 and 17 of the GDPR)
Lack of cooperation with the CNIL (Article 31 of the RGPD)
"Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice," the CNIL wrote in a press release today announcing the sanction [emphasis its]. The size of the fine is $19.57 million.
Here's the CNIL's summary of Clearview's breaches:
Unlawful processing of personal data (breach of Article 6 of the GDPR)
Individuals' rights not respected (Articles 12, 15 and 17 of the GDPR)
Lack of cooperation with the CNIL (Article 31 of the RGPD)
"Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice," the CNIL wrote in a press release today announcing the sanction [emphasis its]. The size of the fine is $19.57 million.
Jail - not fines (Score:2)
Fines mean nothing if the profits are more than them.
These clowns need jail time.
Re: (Score:2)
Re: (Score:3)
You'd think the initial 2 months was enough notice, and that they'd fine them every day they don't comply or have a plan of action on when they will comply.
Of course the fine will mean nothing if the profits are higher, and thus should be increased to, say, some percentage of their annual revenue, per day.
Re: Jail - not fines (Score:2)
Fines go up if ignored. There are systems in place to ensure compliance isn't optional
Re: (Score:2)
Considering that Clearview are US-based and without a French presence, I don't know how the EU could collect. Great test of the GDPR though.
Re: (Score:2)
Intercept any fees paid to Clearview by payment providers. Such as Visa, Mastercard, Banks, etc.
Payment providers would have to comply, if THEY wanted to continue to do business in the EU.
Re: Jail - not fines (Score:1)
Will this mean anything? (Score:3)
Re:Will this mean anything? (Score:5, Interesting)
It is an interesting test of the GDPR.
The GDPR was crafted with an incredibly broad scope, in that it applies to you REGARDLESS of if you are present in Europe, and also REGARDLESS of if you do business in Europe. To be subject to GDPR all that matters is if the data subject is an EU citizen.
IE - person from France travels to Utah. While there they enter their private information (email address, etc) to a regional Escape Room company. That data is now subject to GDPR regulations, including the right to be forgotten and everything else.
The nit here is, if your business does not exist in Europe, then these civil penalties are hard to enforce. In theory failure to pay the penalties could make the officers of the company liable which would then prevent them from ever traveling to Europe either. But no one is ever going to extradited due to a GDPR violation - wonâ(TM)t happen.
Re: (Score:1)
This. I expect this to be a landmark case. Many companies are in limbo in regard to how can GDPR be enforced for a company with no presence in EU.
Re: (Score:2)
Having used GDPR rules with some US companies, I find they are generally quite effective.
Most US companies at the very least don't want to scupper any future business opportunities in Europe. When it comes to internet companies, they often have things like CDNs and advertising customers in Europe, even if they are a US centric site.
Clearview AI have ensured that they won't get any customers who operate in the EU, or go anywhere near that market, or think they might in the future.
Re: (Score:3)
Clearview AI have ensured that they won't get any customers who operate in the EU, or go anywhere near that market, or think they might in the future.
I'm not sure I believe that. It's too easy to hide both payments and transfers of data; it wouldn't surprise me if even EU law enforcement agencies find a way to make use of Clearview in total disregard of regulations and bans.
Re: Will this mean anything? (Score:1)
Other than âoesure, we will deactivate your accountâ, how far have you actually gotten?
I know many large companies in the EU and in the US that simply donâ(TM)t care beyond lip service.
Re: (Score:2)
Retaliating by deleting your account is illegal, unless that's what you asked them to do.
Usually I do a DSAR, and then follow up with a deletion request.
Re: (Score:1)
But what proof do you have other than they said they complied. There is no mechanism in GDPR to verify. Besides that, many companies will run afoul of other financial regulation if they just up and comply with any deletion requests.
Hence me saying, many companies will say "sure, we comply" just to get you to shut up but don't actually delete or even have an internal mechanism to do what you say. They'll just make sure you can't access your database entry.
Re: (Score:2)
Think about the practicality of lying. If they lie and get caught, the consequences can be pretty dire. If they don't want to get caught, they can keep your data hidden away somewhere and cackle with evil laughter about it, but they can't monetize it.
Don't left perfect be the enemy or really good.
Re: (Score:2)
Beyond them not having a local presence in France?
I expect the GDPR breach to contaminate companies that uses it. Companies having presence in France will face similar fines if they use the product (since its use leads to obtain the physical name of a person based on a picture, both of which are private data, and some unlawfully obtained, a fact that a company purchasing the product could not claim in good faith to ignore).
Also since the ruling is straightforward application of EU legislation, there is high probability that it will extend to other EU count
Jurisdiction? (Score:3, Informative)
I believe Clearview AI is an american company located in New York, with no presence in France.
Clearview AI is not under French jurisdiction, therefore it has no responsibility to respond to any action by French regulators or courts.
France would have to petition the US government for any action regarding Clearview AI. I doubt they will get a favorable response. Even tho Clearview AI is scummy, as a US corporate citizen they are legally protected from foreign interference by the full power of the US government.
Re: (Score:3)
Clearview is storing biometrical data of French citizens without any for of consent, and thus needs to adhere to the GDPR. It does not matter how/what/where they're incorporated or based.
Re: Jurisdiction? (Score:5, Insightful)
As an American company that doesn't operates in the EU, Clearview has no obligation to follow the GPDR or any other EU law. It doesn't matter if they have data on French citizens or not, France has no authority over them, which is why they are ignoring France.
It's no different than if Iran made a law saying EU women had to wear hijabs and then Iranian courts started ordering them to comply or face fines/jail.
Re: (Score:3)
I suppose my little company in Luxembourg selling social security numbers of every US citizen is perfectly fine then.
Re: (Score:3)
Morally? No. Legally? Yes.
There's a reason "jurisdiction" is a widely recognized concept.
Re: Jurisdiction? (Score:1)
That would likely violate EU law, but even in America that's not illegal in most states, unless you either acquired then through either fraudulently or as a trusted entity like bank, or if you were intentionally selling them to criminals with the intent of committing crime.
It's like group in I think New York posted the address of all concealed carry permit holders. They even made a Google map overlay of it
Re: (Score:2)
France has no authority over them, which is why they are ignoring France.
A lot would depend on how the EU punishes non-compliance. Would non-compliance be punished by arrest or even jail time? If so, then Clearview executives should be careful about making any stopovers in the EU.
Re: Jurisdiction? (Score:2)
Re: (Score:2)
Ok, makes sense. But then why do americans feel it is completely in their right to sue the entire world on a constant basis! Maybe you should learn that your jurisdiction stops at the border too.
Re: (Score:2)
Clearview AI has an obligation to follow the GDPR if they ever want to do business in Europe, or with European companies.
They have effectively cut themselves off from one of the world's biggest markets.
Re: (Score:1)
As an American company that doesn't operates in the EU, Clearview has no obligation to follow the GPDR or any other EU law. It doesn't matter if they have data on French citizens or not, France has no authority over them, which is why they are ignoring France.
Not true.
Source: Does the GDPR apply to companies outside of the EU?
"For example, you may be a US web development company based in Denver, Colorado, selling websites mainly to Colorado businesses. But if you track and analyze EU visitors to your company's website, then you may be subject to the provisions of the GDPR."
"The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based or
Re: (Score:2)
Of course it does. That is the concept of jurisdiction.
Laws and courts only affect those under their jurisdiction.
Otherwise everyone would be subject to Sharia law (as an example).
Re: (Score:3)
It's not uncommon for countries to have laws regarding crimes against their citizens, even when the action is committed outside the country. The USA has several such laws. Clearview broke a French law by violating the privacy of French citizens and sanctions have been imposed, in France.
It will be hard for the French government to directly compel Clearview to pay the fine, but there are plenty of indirect methods at their disposal without having to resort to requesting extradition (which seems very unlikely
Re: Jurisdiction? (Score:1)
Thatâ(TM)s why companies are incorporated with limited liability. Officers of the company would have to violate the law within EU borders to be liable, just going on vacation, they wouldnâ(TM)t represent the company.
Re: (Score:1)
de minimus fine (Score:3)
A $20M fine is nothing for a company the size of ClearView. It's not even a slap on the wrist to them.
Re: (Score:1)
How are public images not public again? (Score:2)
So, what, are we just supposed to pretend that pictures someone made available to the public, implicitly consenting to letting others see them, aren't publicly available? I'm sorry, but when you put a picture online for the world to see, you're making it available for the world to see. You don't get to complain about who looks at the thing, and you don't get to tell them to forget they saw it. That fundamental absurdity will be t
Re: (Score:2)