Privacy Regulators Need Strong Powers – Clearview AI Penalty

Privacy Regulators Need Strong Powers – Clearview AI Penalty

We learned yesterday that Clearview AI was fined 20 million euros (the maximum financial penalty under article 83 of the GDPR) by France’s data protection authority, the Commission nationale de l’informatique et des libertés. The CNIL began an investigation into a complaint regarding Clearview’s facial recognition database and data processing practices in May 2021, and provided the company with a formal notice to remedy alleged violations in November 2021 that Clearview did not reply to. The CNIL also ordered Clearview to cease  processing activities and delete previously collected data due to GDPR violations.

Clearview AI’s investigative platform allows law enforcement to rapidly generate leads to identify crime suspects. Its facial recognition software essentially scrapes images of faces from publicly accessible on-line sources such as Facebook without transparency or consent, creates biometric identifiers and uploads these to their platform for matching purposes. Given the RCMP’s use of Clearview AI, a joint Investigation by the Office of the Privacy Commissioner of Canada (OPCC) with the Quebec, Alberta and B.C. privacy regulators was conducted in 2020 with a decision published in February 2021.

With PIPEDA’s light-touch approach and the OPCC’s lack of enforcement powers, the report simply ‘recommends’ that Clearview:

  1. Cease offering the facial recognition services to clients in Canada;
  2. Cease collecting, using and disclosing images and biometric data from individuals in Canada; and
  3. Delete images and biometric data collected from individuals in Canada in its possession.

The report states should Clearview maintain its refusal to accept the findings and recommendations of the commissioners, other actions would be pursued to bring Clearview into compliance with federal and provincial privacy laws applicable to the private sector. Clearview AI no longer operates in Canada but refused to halt the collection of Canadians’ data or delete existing images. We heard nothing more, as moving through the courts is an onerous lengthy process.

As of next September, certainly the Quebec commissioner has more clout under Law 25 (Bill 64), but PIPEDA lags far behind with the tabled Bill C-27 that has a long way to go before the Federal Commissioner and the proposed Data Protection Tribunal obtain the power fine organizations for privacy violations. The CNIL’s recent fine is expected to finally have an impact on Clearview AI’s business model and further highlights the need for Canada, at the forefront of privacy concerns but without the legs to stand on, to step up.

For assistance with your global privacy compliance obligations and privacy best practices, contact PRIVATECH.