CNIL (France) - SAN-2022-019
CNIL - Délibération SAN-2022-019 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 3(2) GDPR Article 6 GDPR Article 12 GDPR Article 15 GDPR Article 17 GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 17.10.2022 |
Published: | |
Fine: | 20,000,000 EUR |
Parties: | Clearview AI |
National Case Number/Name: | Délibération SAN-2022-019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | n/a |
The French DPA fined the controller the maximal possible fine of €20,000,000 for violations of Articles 6, 12, 15, 17 and 32 GDPR for providing a facial recognition service.
English Summary
Facts
The controller is a company which operates a facial recognition tool (the tool) to identify data subjects using pictures and video´s online (online content). It is established in the United States and has no establishment in the European Union (EU), but it processes personal data of data subjects in the EU. Specifically, it collects images online in which faces appear, including faces of minors. The controller only excluded a few hundred URLs from its list of websites to collect images. In total, the controller collected more than twenty billion images worldwide to provide its service. The tool indexes freely accessible web pages and social media platforms. After the indexing, the tool extracts all images with faces of data subjects. Based on these images, the controller calculates a mathematical hash for each data subject. This mathematical hash is used to make data subjects searchable in the database. The controller sells access to its database to third parties, such as law enforcement. These third parties can upload a picture of a face to start a search, after which the tool creates a mathematical hash for this uploaded picture. This new hash is compared with existing hashes in the database. When the hashes are similar, the tool collects all the images in the database of the controller with a reference to the original source on the internet. The controller described the tool as “a research tool used by law enforcement authorities to identify perpetrators and victims of offences”. It also described that the tool enabled “analysts” to conduct a search by uploading crime scene images to compare them to those that are publicly available. According to the controller, this allowed the police to identify an individual only with the use of an image. In its privacy policy, the controller stated that the right of access could only be exercises twice a year. The controller did not state a retention period for the data. One data subject requested a third party to make an access request on her behalf. The controller acknowledged that it had received the request and invited the data subject to use an online platform to exercise her right, but failed to answer to the follow up requests on multiple occasion. At one time, the controller also asked for the submission of a photograph and ID card and repeating the invitation to use its online platform to exercise the right of access. After four months and 7 letters, the controller provided access for the data subject. The DPA received several complaints from the data subjects regarding the rights of access (Article 15 GDPR) and erasure (Article 17 GDPR). After this, the DPA started an investigation.
Holding
GDPR applicable? (Article 3(2) GDPR) The DPA held that the GDPR was applicable pursuant of Article 3(2) GDPR. The DPA stated that it was necessary to determine two things (1) whether the controller processed personal data relating to data subjects in EU territory and (2) if this processing was linked to the monitoring of the behaviour of those individuals (recital 24 and Guidelines 3/2018). (1) The DPA held that the controller collected three sorts of personal data according to the privacy policy. It determined that the controller collected publicly accessible photographs on the internet, information extracted from these photographs (such as geolocation data) and information from the facial appearance of data subjects in these photographs. The DPA referred to the Rynes-case, stating that the image of the individual photographed or filmed constitutes personal data when the individual can be recognised. The DPA additionally determined that the controller also processed biometric data (Article 4(1)(14) GDRP) and that the collection also concerned data subject in the EU. (2) Secondly, the DPA held that the processing of the controller was linked to the monitoring of the behaviour of data subjects (Article 3(2)(b) GDPR). The DPA stated that the processing merely had to be ‘related’ to the monitoring. It is not necessary that monitoring it the primary purpose of the processing. The DPA stated that monitoring also included profiling (Article 4(1)(4) GDPR and recital 24). (a) The DPA held that the search result associated with a photograph must be qualified as a behavioural profile of the data subject because it contained numerous pieces of information about data subjects or allows access to this information. The DPA stated that the controller created such behavioural profiles using all its collected pictures of data subjects in its database, including links to the original source of the images on the internet. The DPA stated that this made it possible to gather many different bits of information on the data subject. For example, it was possible to identify a social media account of a data subject with the URL and the profile picture. The search result in the database also included metadata, which enabled the possibility of supplementing an individual’s profile. This search also made it possible to identify a data subject’s behaviour on the internet, by analysing what they have decided to put online. (b) The DPA also held that the processing of the controller constituted monitoring on the internet. It stated that the very purpose of the tool was to identify and collect certain information by the controller and made searches into data subjects possible. It also stated that a third party could search multiple times, which made it possible to detect a change in behaviour if the database is updated regularly. Applicability of one stop shop mechanism The DPA held that the one-stop-shop mechanism was not applicable in this situation and held that every supervisory authority was competent to deal with this case. The reason for this was the fact that there was no principal place of business or sole establishment of the controller. (Articles 55(1) and 56(1) GDPR and recital 122). No legal ground for processing (Article 6 GDPR) The DPA held that the controller violated Article 6 GDPR because it did not have a legal ground for processing (Article 6 GDPR) (recital 47). It stated that the controller processed data solely for commercial purposes, despite the fact of the possibility that its service could be used by law enforcement agencies. The controller’s privacy policy did not mention any mention of a legal basis, and the DPA held that the legal grounds of Article 6(1)(b), 6(1)(c), Article 6(1)(d) and Article 6(1)(e) GDPR were not applicable in this case. It also held that the controller could not rely on legitimate interests ((Article 6(1)(f) (recital 47) because it ruled the balancing exercise of the controller’s interests against the interests of the data subjects in favour of the latter. Violation of the right of access (Article 15 GDPR) The DPA held that the controller violated Articles 12 and 15 GDPR. It stated that the answer of the control was only partial, because all the information in Article 15(1) GDPR was missing from the response, in which the controller only referred to its privacy policy. It only contained results of a search in the database. It also held that the limitation on the right of access (twice every year) had no basis, because the privacy policy did not specify the retention period of the personal data. Violation of the right of erasure (Article 17 GDPR) The DPA held that the controller violated Article 17 GDPR because the controller did not reply to an erasure request by a data subject. The DPA determined that since there was no legal basis for the processing, erasure was legally binding Violation to cooperate with the DPA The DPA held that the controller violated Article 32 GDPR because it did only partially answer an information and neglected an order by the DPA to comply with the GDPR. The DPA fined the controller the maximum amount of €20,000,000 under article 83 GPDR and considered several aggravating factors, such as the severity of the violation of Article 6 GDPR and the fact the biometric template of faces in pictures was considered sensitive personal data (Article 9 GDPR) according to the DPA.
Comment
The DPA doesn't initially mention the fact that a 'biometric template' might constitute sensitive personal data in the context of Artilce 9 GDPR, but the DPA mentions this as an aggrevating factor when determining the amount of the fine.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.