CNIL (France) - MED-2021-134
|CNIL (France) - MED-2021-134|
|Relevant Law:||Article 6 GDPR|
Article 12 GDPR
Article 15 GDPR
Article 17 GDPR
|National Case Number/Name:||MED-2021-134|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
The French DPA (CNIL) ordered Clearview AI, a company conducting facial recognition on public web sources, to stop unlawfully collecting and processing the personal data of data subjects on the French territory, delete all such personal data collected previously, and set up clearer and more efficient procedures that enable the enforcement of the right of access and right to be forgotten.
English Summary[edit | edit source]
Facts[edit | edit source]
The CNIL received several complaints from individuals and NGOs on the way Clearview AI's processing of biometric data. The company conducts facial recognition AI trainings for law enforcement purposes mainly on a large database from public web sources, including social media. The CNIL started an EU-wide investigation in close collaboration with other competent EU DPAs.
Holding[edit | edit source]
The CNIL's investigations revealed two main breaches of the GDPR.
First, Clearview AI was illegally processing personal data. Indeed, as stated in Article 6 GDPR, a legal basis is required to process personal data. The company had no legitimate interest to collect and process such sensitive data and therefore had to rely on a consent-based approach (Article 6(1)(b) GDPR). Since the the company did not appear to seek any consent from individuals the processing operations were deemed unlawful.
Second, Clearview AI had been unlawfully hindering individuals from exercising their rights. On the one hand, insufficient information and accessibility regarding procedures were provided, thus in breach of Article 12 GDPR. On the other hand, the company had undermined individuals rights of access (Article 15 GDPR) and right to be forgotten (Article 17 GDPR) by:
- restricting access to data collected only in the 12 previous months;
- authorizing right of access only twice a year;
- answering requests only after several attempts from individuals;
- not effectively answering requests by providing incorrect and incomplete replies.
The CNIL sent Clearview a letter of formal notice asserting that Clearview must facilitate individuals rights exercising and stop processing data without relevant legal basis within a two months period, as well as delete any personal data collected previously.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.