CNIL (France) - MED-2021-134

From GDPRhub
CNIL (France) - MED-2021-134
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 6 GDPR
Article 12 GDPR
Article 15 GDPR
Article 17 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 26.11.2021
Published: 16.12.2021
Fine: None
Parties: CLEARVIEW AI
National Case Number/Name: MED-2021-134
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: JulesO3

The French DPA (CNIL) ordered Clearview AI, a company conducting facial recognition on public web sources, to stop unlawfully collecting and processing the personal data of data subjects on the French territory, delete all such personal data collected previously, and set up clearer and more efficient procedures that enable the enforcement of the right of access and right to be forgotten.

English Summary

Facts

The CNIL received several complaints from individuals and NGOs on the way Clearview AI's processing of biometric data. The company conducts facial recognition AI trainings for law enforcement purposes mainly on a large database from public web sources, including social media. The CNIL started an EU-wide investigation in close collaboration with other competent EU DPAs.

Holding

The CNIL's investigations revealed two main breaches of the GDPR.

First, Clearview AI was illegally processing personal data. Indeed, as stated in Article 6 GDPR, a legal basis is required to process personal data. The company had no legitimate interest to collect and process such sensitive data and therefore had to rely on a consent-based approach (Article 6(1)(b) GDPR). Since the the company did not appear to seek any consent from individuals the processing operations were deemed unlawful.

Second, Clearview AI had been unlawfully hindering individuals from exercising their rights. On the one hand, insufficient information and accessibility regarding procedures were provided, thus in breach of Article 12 GDPR. On the other hand, the company had undermined individuals rights of access (Article 15 GDPR) and right to be forgotten (Article 17 GDPR) by:

  • restricting access to data collected only in the 12 previous months;
  • authorizing right of access only twice a year;
  • answering requests only after several attempts from individuals;
  • not effectively answering requests by providing incorrect and incomplete replies.

The CNIL sent Clearview a letter of formal notice asserting that Clearview must facilitate individuals rights exercising and stop processing data without relevant legal basis within a two months period, as well as delete any personal data collected previously.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision n ° MED-2021-134 of November 26, 2021 giving formal notice to the company CLEARVIEW AI

The President of the National Commission for Informatics and Freedoms,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the amended law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its article 20;

Having regard to Decree No. 2019-536 of May 29, 2019 issued for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms;

Having regard to deliberation No. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Informatics and Freedoms;

Considering the decision n ° 2020-116C of August 26, 2020 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company CLEARVIEW AI;

Considering the referrals n ° 20012263, n ° 20008376, n ° 20022230 and n ° 21010202;

Having regard to the documentary control questionnaire of October 27, 2020;

Having regard to the other documents in the file;

I. The procedure

The company CLEARVIEW AI (hereinafter "the company" or "Clearview"), established in the United States, was created in 2017. It has developed facial recognition software, the database of which is based on the aspiration of photographs publicly available on the Internet, which identify a person from a photograph representing him.

The National Commission for Informatics and Freedoms (hereinafter "CNIL") received several complaints between May and December 2020 relating to the difficulties encountered by complainants in exercising their rights of access and erasure with the company.

In application of the decision n ° 2020-116C of August 26, 2020 of the President of the CNIL, a delegation of the CNIL carried out a documentary control mission by sending a questionnaire on October 27, 2020, to which the CNIL company responded by letter of the following November 27. This questionnaire focused on the various processing operations implemented by the company, the user organizations of the company's services (current or former) having their main establishment in France or within the European Union as well as complaints n ° 20008376 and nr. ° 20012263.

On May 27, 2021, the CNIL received a complaint from the Privacy International organization (referral n ° 21010202) relating to the company's facial recognition software and its use by law enforcement agencies.

As part of the mutual assistance provided for in article 61 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the "GDPR" or the "Regulation), the CNIL is is seen imparting useful information by several of its European counterparts.

II.The context

From useful information, transmitted in the framework of cooperation between supervisory authorities, publicly accessible information as well as complaints received by the Commission, it appears that the company uses clean technology to index freely accessible web pages. It collects all images that have faces on millions of websites. Photographs are thus extracted in particular from social networks (for example, Twitter or Facebook), professional sites containing photographs of their employees, blogs and all sites on which photographs of people are publicly accessible. Images are also taken from videos available online, for example at www.youtube.com. This collection concerns images of both adults and minors, no filter being applied in this regard. Only hundreds of URLs, associated with "adult" sites with the largest audiences, are blocked and excluded from collection.

The collection of these images on social networks covers all of the images accessible at the time of collection to a person not connected to the network in question. Outside of social networks, the collection concerns all the images accessible at the time of collection by a search engine. The company has thus collected more than ten billion images.

From each photograph collected, the company calculates a biometric template. A unique digital imprint, specific to the face as it appears in the photograph (based on the points of the face) is thus generated. The billions of images are then saved to a database in a searchable form (using the digital fingerprint).

The company markets access to an online platform with a search engine. This tool works by uploading a photograph of a face to it. From this photograph, the tool calculates the digital fingerprint corresponding to it and searches the database for photographs to which similar fingerprints are linked. The software produces a search result, composed of photographs, to which is associated the URL of the web page from which they were extracted (social network, press article, blog ...). This search result thus compiles all the images society collects about a person as well as the context in which these images are online, such as, for example, the social media account or a newspaper article.

The company describes the service it offers as "a search tool used by law enforcement agencies to identify perpetrators and victims of crimes" from a photograph. It says on its website that the tool allows, for example, "analysts" to conduct research by uploading crime scene footage to compare with those that are publicly available. Law enforcement can thus use this tool to identify a person of whom they have an image (for example, from a CCTV recording) but do not know the identity.

III.On the applicability of the GDPR

Pursuant to Article 3, paragraph 2 of the GDPR: "This Regulation applies to the processing of personal data relating to data subjects who are in the territory of the Union by a controller or a sub -contractor who is not established in the Union, when the processing activities are linked to: […] b) monitoring the behavior of such persons, insofar as this is behavior that takes place in the within the Union. "(emphasis added).

Recital 24 of the GDPR specifies in this regard that "The processing of personal data of data subjects who are located in the Union by a controller or a processor who is not established in the Union should also be subject to this Regulation when such processing is linked to the monitoring of the behavior of such persons in so far as it concerns their behavior within the Union. behavior of data subjects, it should be established whether natural persons are followed on the internet, which includes the possible subsequent use of personal data processing techniques which consist of profiling of a natural person, in order to including making decisions about her or analyzing or predicting her preferences, behaviors and moods "(emphasis added).

By way of clarification, in its guidelines 3/2018 relating to the territorial scope of the GDPR in their version of 12 November 2019, the European Data Protection Board (hereinafter "the EDPS") notes that, " Contrary to the provision of Article 3 (2) (a), neither Article 3 (2) (b) nor Recital 24 expressly introduces a necessary degree of "intention to target" of the part of the controller or processor to determine whether the monitoring activity would trigger the application of the GDPR to processing activities. However, the use of the word "monitoring" implies that the controller is pursuing a specific objective by view of the collection and subsequent reuse of relevant data relating to a person's behavior within the Union. The Committee does not consider that the online collection or analysis of personal data relating to persons in the Union would automatically be considered a "follow-up". It will be necessary to take into account the purpose of the data processing by the controller and, in particular, any subsequent behavioral analysis or profiling technique involving such data. The Committee takes into account the wording of recital 24, which indicates that in order to determine whether the processing involves the monitoring of the behavior of a data subject, the monitoring of natural persons on the internet, including the potential subsequent use of profiling techniques , is an important factor ".

Insofar as the company is not established in the European Union, it is therefore necessary, for the GDPR to be applicable to the processing in question, to determine whether the processing concerns personal data relating to data subjects on the territory of the European Union and whether the processing is linked to monitoring the behavior of these persons.

First of all, it emerges from the company's confidentiality policy appended hereto that the company collects in particular:

photographs publicly available on the Internet;

information that can be extracted from these photographs, such as geolocation metadata that the photograph may contain;

information derived from the facial appearances of the people in those photographs.

These three categories of data constitute personal data of the person whose face appears in the photograph in question. Indeed, the notion of personal data is defined in the GDPR as "any information relating to an identified or identifiable natural person [...]", this identification being able to relate in particular "to one or more specific elements specific to his identity. physical ". The image of the person photographed or filmed constitutes personal data as soon as the person is identifiable, that is to say, it can be recognized. In addition, this image can be compared (by an automated process or not) with an image held elsewhere and attached to an identified person and the identity of that person can be inferred. The company also processes biometric data associated with these images.

In addition, the images collected concern people located in the European Union. Indeed, this collection is not geographically limited to the American territory on which the company is established, since this data is collected on the Internet, in particular from global social networks. The CNIL notes that, in the context of its responses to the questionnaire sent by the control delegation, the company acknowledges processing personal data of European residents, in particular by affirming that it accepts all access and opposition requests. made by residents of the European Union. In particular, people located in France were affected by the processing in question since the CNIL received three complaints from people residing in France relating to the difficulties encountered in the exercise of their right of access and opposition. from the company.

Therefore, the company processes personal data of natural persons located in the European Union and, in particular, in France.

Second, in order to establish whether the processing activity in question can be considered to be linked to the monitoring of the behavior of data subjects within the meaning of Article 3 of the GDPR, it is necessary to determine whether the natural persons are doing the same. subject to Internet tracking.

In accordance with recital 24 of the GDPR, the notion of Internet tracking includes the possible subsequent use of personal data processing techniques which consist of profiling of a natural person. Profiling is defined in Article 4 of the GDPR as "any form of automated processing of personal data consisting of using this personal data to evaluate certain personal aspects relating to a natural person". It should also be noted that Article 3 of the GDPR does not require that the processing has as its purpose the monitoring of the behavior of individuals but is simply "linked" to it.

It should be noted as a preliminary point that the processing operations implemented by the company in order to collect data and constitute a database, which a search engine accesses to provide a result are analyzed here globally, in with regard to their common purpose, which is to market a search engine based on facial recognition (hereinafter "the processing").

First, the processing in question leads to the creation of a behavioral profile of all the people whose data is collected.

It emerges from the useful information, transmitted within the framework of cooperation between supervisory authorities, that the tool in question makes it possible to generate, from a photograph, a search result containing all the photographs having a sufficiently biometric template. close to it. This search result includes all photographs in which a person's face appears that have been collected by the company, subject to technical error.

The profile thus created, relating to a person, is composed of photographs but also of the URL address of all the web pages on which these photographs are located. However, the relation between photographs and the context in which they are presented on a website allows us to collect a great deal of information about a person, his habits or his preferences. With regard to social networks in particular, a photograph as well as the original URL of this photograph are highly likely to identify the account of the person concerned. The photographs may also have been posted online to illustrate a press or blog article, which is therefore likely to contain precise information relating to the person concerned and thus elements relating to his behavior.

In addition, images may contain metadata, such as geolocation metadata, which is also included in a search result and helps complete a person's profile.

Such a search result can also identify a person's behavior on the Internet, by analyzing the information that person has chosen to put online and its context. Indeed, posting photographs online constitutes in itself a behavior of the data subject, reflecting choices on the level of exposure that he wishes to give to elements of his private or professional life.

Therefore, it should be considered that the search result which is associated with a photograph must be qualified, at least in part, as a behavioral profile of the data subject since it contains a great deal of information relating to that person and in particular to his behavior. Even assuming that the purpose of the processing itself is not behavioral monitoring, the means implemented to enable the biometric identification system of the company Clearview involve the constitution of such a profile, and the processing can be viewed. as "linked to the monitoring of the behavior" of the persons concerned.

Second, the automated processing of data enabling this behavioral profile to be created and made available to those making the queries in the company's search engine should qualify as Internet tracking.

Indeed, the very purpose of the tool marketed by Clearview is to be able to identify and collect certain information relating to a person. The implementation of the various stages of the treatments described above, and in particular of biometric techniques allowing to single out an individual, lead to the creation of a behavioral profile. However, this profile is created in response to a search carried out by a person and relating to an individual appearing in a photograph.

In addition, the search can be repeated over time, which makes it possible to observe a change in the information relating to a person, in particular if the results of successive searches are compared. Indeed, the database being updated regularly, successive searches make it possible to follow the evolution of a profile over time.

Therefore, the fact that a one-off search allows, at any time, access to a person's profile as described above should be considered as tracking the behavior of people.

The processing implemented in this way is therefore linked to monitoring the behavior of data subjects within the meaning of the provisions of Article 3.2.b) of the GDPR and falls within the territorial scope of the GDPR.

IV. On the competence of the CNIL and the lack of applicability of the one-stop-shop mechanism

Article 55.1 of the GDPR provides that "each supervisory authority is competent to exercise the missions and powers vested in it in accordance with this Regulation on the territory of the Member State to which it belongs".

Article 56.1 provides: "Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or of the processor is competent to act as the supervisory authority. lead control concerning cross-border processing carried out by that controller or processor, in accordance with the procedure provided for in Article 60. "

Recital 122 of the GDPR states: "Each supervisory authority should be competent in the territory of the Member State to which it belongs to exercise the missions and powers vested in it in accordance with this Regulation. This should cover, in particular, [... ] the processing carried out by a controller or a processor who is not established in the Union when this processing targets data subjects residing in the territory of the Member State to which it belongs. […] "

It emerges from a combined reading of Articles 55 and 56 of the GDPR that, in the event that a data controller located outside the European Union implements cross-border processing subject to the GDPR but does not have neither a central administration, nor an establishment with decision-making power as to its purposes and means, the one-stop-shop mechanism provided for in article 56 of the GDPR is not intended to apply. Each national supervisory authority is therefore competent to monitor compliance with the GDPR on the territory of the Member State to which it belongs.

In this case, the company is established in the United States of America and has no establishment in the territory of any member state of the European Union.

Consequently, the one-stop-shop mechanism is not applicable and the CNIL is competent to ensure, on French territory, that the processing operations are implemented in accordance with the provisions of the GDPR.

V. On breaches of the GDPR

1.A breach of the obligation to have a legal basis for the processing operations carried out

Article 6 of the General Data Protection Regulation provides that: "Processing is only lawful if and to the extent that at least one of the following conditions is met:

a) the data subject has consented to the processing of their personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the latter's request;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) the processing is necessary to protect the vital interests of the data subject or of another natural person;

e) the processing is necessary for the performance of a task of public interest or falling within the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject prevail which require protection of personal data, in particular when the person concerned is a child. "

To be lawful, the processing of personal data must therefore be based on one of the legal bases referred to above.

From the useful information transmitted within the framework of the cooperation between supervisory authorities, it appears that the facial recognition software implemented by the company is based on the systematic and generalized collection, from millions of websites around the world, of images containing faces, using proprietary technology to index freely accessible web pages.

The company then processes the data collected in order to constitute a database and allow the photographs to be searched in this database from another image.

This processing is carried out by the company for exclusively commercial purposes.

As part of the investigations carried out by the CNIL, the company was questioned on the legal basis of this processing, within the meaning of Article 6 of the GDPR. The company has not provided any response on this point. The company's privacy policy, previously mentioned, does not further discuss the legal basis for such processing.

It can be noted from the outset that the company has not obtained the consent of the data subjects to the processing of their personal data.

In addition, given the nature of the processing in question, the legal bases provided for by the provisions of Article 6.1 under b), c), d) and e) of the GDPR and related to the performance of a contract , compliance with a legal obligation, the protection of the vital interests of the data subject or of another natural person and the performance of a task of public interest do not apply in the present case. .

With regard to the legal basis linked to the legitimate interests pursued by the data controller, provided for in Article 6 1. f) of the Regulation, it should be recalled as a preliminary point that the "publicly accessible" nature of data does not affect the qualification of personal data and that there is no general authorization to reuse and re-process publicly available personal data, in particular without the knowledge of the data subjects.

By way of illustration, the article 29 working group (known as "G29" now the European Data Protection Board (EDPS)), in its Opinion 06/2014 on the notion of legitimate interest pursued by the data controller data processing within the meaning of Article 7 of Directive 95/46 / EC, noted in this regard that "personal data, even if they have been made public, remain considered as personal data" and that "their treatment therefore continues to require appropriate guarantees". While acknowledging that the fact that personal data are accessible to the public may be a relevant factor in concluding the existence of legitimate interests, the EDPS then warned that this would only be the case "if their publication was accompanied by a reasonable expectation of subsequent use of the data for certain purposes, for example, for research or for the sake of transparency and accountability. "

In addition, for the controller to be able to avail himself of this legal basis, the processing must be necessary for the purposes of the legitimate interests he pursues, unless the interests or fundamental rights and freedoms of the data subjects prevail.

In the present case, even if the interest of the company were based on the economic interest which it derives from the use of the database in question, that interest should nevertheless be weighed against the interests or freedoms and fundamental rights of data subjects, taking into account the reasonable expectations of individuals based on their relationship with the controller, in accordance with Article 6.1.f) of the GDPR, read in the light of recital 47 and the opinion of the EDPS on the concept of legitimate interest mentioned above.

In this case, the processing is particularly intrusive: it collects a large amount of photographic data from a given person, to which are associated other personal data that may reveal various aspects of private life. From these data, a biometric template is formed, i.e. biometric data allowing, if it is reliable, to uniquely identify the person from a photograph of the person: the detention of 'such data by a third party constitutes a serious invasion of privacy. Finally, it should be noted that this processing concerns an extremely high number of people.

Furthermore, it should in particular be determined whether the data subjects could reasonably expect, at the time and in the context of the collection of personal data, that they would be the subject of such processing by the Clearview company. In this regard, there is no relationship between the company and the persons concerned. While they can reasonably expect third parties to access the photographs in question from time to time, their publicly accessible nature is not sufficient to consider that the persons concerned can reasonably expect their images to feed into software for facial recognition. Finally, the software used by the company is not public and the vast majority of those affected are unaware of its existence.

It must therefore be considered that people who have published photographs representing them on websites, or have consented to this publication to another data controller, do not expect them to be reused for the purposes. pursued by the company, that is to say the creation of facial recognition software (which associates the image of a person with a profile containing all the photographs in which it appears, the information that these photographs contain as well as the websites on which they are located) and the marketing of this software to law enforcement agencies.

Therefore, in view of all of these elements, the invasion of the privacy of individuals appears disproportionate with regard to the interests of the data controller, in particular his commercial and pecuniary interests, and the legal basis of the legitimate interest. of the company cannot therefore be retained.

Consequently, the company has no legal basis for the processing in question, in breach of Article 6 of the Rules.

2.A breach of the obligation to respect the right of access

Article 15 of the GDPR provides that "the data subject has the right to obtain from the controller confirmation that personal data concerning him or her are or are not being processed and, when they are, access to said data. personal data ". This article also provides for the different categories of information that the data controller must provide to the data subject in the event of an access request.

Article 12 specifies that: "the controller facilitates the exercise of the rights conferred on the data subject under Articles 15 to 22"

In the present case, it appears from referral no.20012263 that the complainant requested the company to access the data concerning her and all the information relating to this data within the meaning of article 15.1, by electronic means. .

In fact, the complainant mandated a third party to make her access request to the company. Clearview acknowledged receipt while inviting the complainant to use an online platform to exercise her request. More than two months after the initial request and after three more e-mails sent by the authorized third party, the company demanded the transmission of a photograph and an identity document of the complainant and again invited the complainant to use an online platform to make her request. Four months after the initial request, after further exchanges relating to the transmission of an identity document and in the absence of a satisfactory response, the authorized third party sent a letter of formal notice to the company.

The company has communicated a response to the request for access which, first of all, is partial. Indeed, it contains only the result of the search in the tool marketed by the company, that is to say the images and the information associated with them. All of the information provided for in Article 15.1 of the GDPR is therefore lacking, the company having contented itself with providing a link to its privacy policy.

Then, by agreeing to respond to the complainant's request for access only after seven letters and more than four months after her initial request and by requiring a copy of her identity document while the complainant had already provided information enabling her to be identified as well as a photograph representing her, Clearview did not facilitate the exercise of the complainant's rights.

Finally, it is apparent from the company's privacy policy that it limits the exercise of the right of access to data collected during the twelve months preceding the request and restricts the exercise of this right to twice a year. However, the company's confidentiality policy does not specify the retention period of the data and it does not emerge from the documents in the file that the retention of the data in question would be limited to twelve months.

It emerges from these elements that the company does not respond effectively to access requests addressed to it under Article 15 of the GDPR and does not facilitate the exercise of the right of access by data subjects.

These facts constitute a breach of Articles 12 and 15 of the Rules.

3.A breach of the obligation to respect the right to erasure

Article 17 of the GDPR provides: "The data subject has the right to obtain from the controller the erasure, as soon as possible, of personal data concerning him and the controller has the obligation to erase these personal data as soon as possible, when one of the following grounds applies: […] the personal data have been the subject of unlawful processing ".

It appears from referral no.20012263 that the complainant received no response from the company regarding the erasure of her data that she had requested from the company.

However, since the Commission considers that the processing carried out cannot be based on any valid legal basis with regard to European regulations, the erasure was automatic.

This fact constitutes a breach of section 17 of the Rules.

Consequently, the company Clearview AI, located 214 W 29TH ST in NEW YORK CITY (10001 - United States of America), is put on formal notice within a period of two (2) months from the notification of this decision. and subject to the measures it could already have adopted, to:

- not to proceed without a legal basis to the collection and processing of personal data relating to data subjects who are on French territory as part of the operation of the facial recognition software that it markets, and in particular, to delete all the personal data of these people (after responding to requests for access already made, if applicable);

- facilitate the exercise of the rights of data subjects and in particular, respond effectively to the request for access made by the complainant in question;

- grant the request for erasure made by the complainant in question;

- justify to the CNIL that all of the aforementioned requests have been complied with, and this within the allotted time.

At the end of this period, if Clearview AI has complied with this formal notice, this procedure will be considered closed and a letter will be sent to it to this effect.

Conversely, if the company Clearview AI has not complied with this formal notice, it is recalled that a rapporteur may be appointed to request that the restricted committee pronounce one of the sanctions provided for in article 20 of the amended law of 6 January 1978.

The president

Marie-Laure DENIS