CNIL (France) - Délibération SAN-2022-019
|CNIL - Délibération SAN-2022-019|
|Relevant Law:||Article 3(2) GDPR|
Article 6 GDPR
Article 12 GDPR
Article 15 GDPR
Article 17 GDPR
Article 32 GDPR
Article 9 GDPR
|National Case Number/Name:||Délibération SAN-2022-019|
|European Case Law Identifier:||n/a|
|Original Source:||CNIL (in FR)|
The French DPA fined a controller €20,000,000 under Article 83 GDPR for violating Articles 6, 12, 15, 17 and 32 GDPR by providing a facial recognition service.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller operates a facial recognition tool (the tool) to identify data subjects using pictures and video's posted online (online content). The controller is established in the United States and has no establishment in the European Union (EU), but processes personal data of EU data subjects. Specifically, it collects online content in which faces appear, including faces of minors.
The tool indexes freely accessible web pages and social media platforms. After the indexing, the tool extracts all images with faces of data subjects. Based on these images, the tool calculates a mathematical hash for each data subject, which is in turn based on a unique biometric template of the face in the picture. The mathematical hash is used to make data subjects searchable in the database.
The controller sells access to its database to third parties. These third parties can upload a picture of a face to start a search in order to identify data subject, after which the tool creates a mathematical hash for this uploaded picture. This new hash is compared with existing hashes in the database. When the hashes are similar, the tool collects all the images with the same hash, including a reference to the original source of each picture. This process makes it possible to identify data subjects.
The DPA received several complaints from data subjects regarding the rights of access (Article 15 GDPR) and erasure (Article 17 GDPR) between May and December 2020. One data subject requested a third party to make an access request on her behalf. The controller acknowledged that it had received this request and invited the data subject to use an online platform to exercise her right of access, but failed to answer follow up requests on multiple occasions. When answering to the last request, the controller also asked for the submission of a photograph and ID card and repeated the invitation to use an online platform to exercise the right of access. After 4 months and 7 letters, the controller provided access for this data subject. Another data subject had complained that it had submitted an request for erasure (Article 17 GDPR), but had never received an answer form the controller. The DPA started an investigation following these complaints.
During the investigation, on 26 November 2021, the DPA also ordered the controller to comply with several GDPR Articles. The controller did not provide a response. The investigation was concluded on 14 July 2022, to which the controller did not react either.
Holding[edit | edit source]
GDPR applicable? (Article 3(2) GDPR)
The DPA held that the GDPR was applicable pursuant of Article 3(2) GDPR. Because the controller was not established in the EU, the DPA stated that it was necessary to determine two things: (1) whether the controller processed personal data relating to data subjects in EU territory and (2) if this processing was linked to the monitoring of the behaviour of those individuals (recital 24 and Guidelines 3/2018).
(2) Secondly, the DPA held that the processing of the controller was linked to the monitoring of the behaviour of data subjects (Article 3(2)(b) GDPR). The DPA stated that the processing merely had to be ‘related’ to the monitoring. It was not necessary that monitoring of behaviour was the primary purpose of the processing. The DPA stated that monitoring could also include profiling (Article 4(1)(4) GDPR and recital 24). The DPA held that the search result associated with a photograph was a behavioural profile of the data subject because it contained numerous pieces of information about data subjects or allowed access to this information. The DPA stated that the controller created such behavioural profiles using all its collected pictures of data subjects in its database, including links to the original source of the images on the internet. The DPA stated that this made it possible to collect many different bits of information, such as information from a social media account or included metadata from the search. This search also made it possible to identify a data subject’s behaviour on the internet, by analysing what they have decided to put online. The DPA also held that the processing of the controller constituted monitoring on the internet. It stated that the very purpose of the tool was to identify data subjects and collect personal data. It also determined that a third party could search multiple times, which made it possible to detect a change in the data subject's behaviour.
Applicability of one-stop-shop mechanism
The DPA held that the one-stop-shop mechanism was not applicable in this situation of cross border processing and held that every supervisory authority in the EU was competent to deal with this case with regard to processing in its territory. The reason for this was the fact the controller was located in the United States and that there was main or sole establishment of the controller in the EU (Articles 55(1) and 56(1) GDPR and recital 122).
No legal ground for processing (Article 6 GDPR)
Violation of the right of access (Article 15 GDPR)
Violation of the right of erasure (Article 17 GDPR)
The DPA held that the controller violated Article 17 GDPR because the controller did not reply to an erasure request by a data subject. The DPA determined that erasure was legally binding because there was no legal basis for the processing.
Violation for lack of cooperation with the DPA (Article 31 GDPR)
The DPA held that the controller violated Article 31 GDPR because it did only partially answer an information request and neglected an order by the DPA to comply with the GDPR.
The DPA fined the controller the amount of €20,000,000 under Article 83 GPDR and considered several aggravating factors, such as the severity of the violation of Article 6 GDPR and the fact that the biometric template of faces in pictures was considered sensitive personal data (Article 9 GDPR).
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.