CNIL (France) - SAN-2022-019

From GDPRhub
CNIL - Délibération SAN-2022-019
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 3(2) GDPR
Article 6 GDPR
Article 12 GDPR
Article 15 GDPR
Article 17 GDPR
Article 32 GDPR
Article 9 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 17.10.2022
Fine: 20,000,000 EUR
Parties: Clearview AI
National Case Number/Name: Délibération SAN-2022-019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA fined a controller €20,000,000 under Article 83 GDPR for violating Articles 6, 12, 15, 17 and 32 GDPR by providing a facial recognition service.

English Summary


The controller operates a facial recognition tool (the tool) to identify data subjects using pictures and video's posted online (online content). The controller is established in the United States and has no establishment in the European Union (EU), but processes personal data of EU data subjects. Specifically, it collects online content in which faces appear, including faces of minors.

The tool indexes freely accessible web pages and social media platforms. After the indexing, the tool extracts all images with faces of data subjects. Based on these images, the tool calculates a mathematical hash for each data subject, which is in turn based on a unique biometric template of the face in the picture. The mathematical hash is used to make data subjects searchable in the database.

The controller sells access to its database to third parties. These third parties can upload a picture of a face to start a search in order to identify data subject, after which the tool creates a mathematical hash for this uploaded picture. This new hash is compared with existing hashes in the database. When the hashes are similar, the tool collects all the images with the same hash, including a reference to the original source of each picture. This process makes it possible to identify data subjects.

In its privacy policy, the controller stated that data subjects could only exercise their right of access twice a year. The controller did not mention a retention period for the personal data.

The DPA received several complaints from data subjects regarding the rights of access (Article 15 GDPR) and erasure (Article 17 GDPR) between May and December 2020. One data subject requested a third party to make an access request on her behalf. The controller acknowledged that it had received this request and invited the data subject to use an online platform to exercise her right of access, but failed to answer follow up requests on multiple occasions. When answering to the last request, the controller also asked for the submission of a photograph and ID card and repeated the invitation to use an online platform to exercise the right of access. After 4 months and 7 letters, the controller provided access for this data subject. Another data subject had complained that it had submitted an request for erasure (Article 17 GDPR), but had never received an answer form the controller. The DPA started an investigation following these complaints.

During the investigation, on 26 November 2021, the DPA also ordered the controller to comply with several GDPR Articles. The controller did not provide a response. The investigation was concluded on 14 July 2022, to which the controller did not react either.


GDPR applicable? (Article 3(2) GDPR)

The DPA held that the GDPR was applicable pursuant of Article 3(2) GDPR. Because the controller was not established in the EU, the DPA stated that it was necessary to determine two things: (1) whether the controller processed personal data relating to data subjects in EU territory and (2) if this processing was linked to the monitoring of the behaviour of those individuals (recital 24 and Guidelines 3/2018).

(1) The DPA held that the controller collected three sorts of personal data according to its privacy policy. It determined that the controller collected publicly accessible photographs on the internet, information extracted from these photographs (such as geolocation data) and information from the facial appearance of data subjects in these photographs. The DPA referred to CJEU case law, stating that the image of the individual photographed or filmed constitutes personal data when the individual can be recognised (see CJEU 11 December 2014, Rynes, C-212/13, point 22 and CJEU, 14 February 2019, F.K., C-345/17). The DPA additionally determined that the controller also processed biometric data (Article 4(1)(14) GDRP) and confirmed that the collection of pictures also concerned data subjects in the EU.

(2) Secondly, the DPA held that the processing of the controller was linked to the monitoring of the behaviour of data subjects (Article 3(2)(b) GDPR). The DPA stated that the processing merely had to be ‘related’ to the monitoring. It was not necessary that monitoring of behaviour was the primary purpose of the processing. The DPA stated that monitoring could also include profiling (Article 4(1)(4) GDPR and recital 24). The DPA held that the search result associated with a photograph was a behavioural profile of the data subject because it contained numerous pieces of information about data subjects or allowed access to this information. The DPA stated that the controller created such behavioural profiles using all its collected pictures of data subjects in its database, including links to the original source of the images on the internet. The DPA stated that this made it possible to collect many different bits of information, such as information from a social media account or included metadata from the search. This search also made it possible to identify a data subject’s behaviour on the internet, by analysing what they have decided to put online. The DPA also held that the processing of the controller constituted monitoring on the internet. It stated that the very purpose of the tool was to identify data subjects and collect personal data. It also determined that a third party could search multiple times, which made it possible to detect a change in the data subject's behaviour.

Applicability of one-stop-shop mechanism

The DPA held that the one-stop-shop mechanism was not applicable in this situation of cross border processing and held that every supervisory authority in the EU was competent to deal with this case with regard to processing in its territory. The reason for this was the fact the controller was located in the United States and that there was main or sole establishment of the controller in the EU (Articles 55(1) and 56(1) GDPR and recital 122).

No legal ground for processing (Article 6 GDPR)

The DPA held that the controller violated Article 6 GDPR because it did not have a legal ground for processing (Article 6 GDPR) (recital 47). It stated that the controller processed data solely for commercial purposes, despite the possibility that the service could also be used by law enforcement agencies. The controller’s privacy policy did not mention any legal basis, and the DPA determined that the legal grounds of Article 6(1)(b), 6(1)(c), Article 6(1)(d) and Article 6(1)(e) GDPR were not applicable in this case. It also held that the controller could not rely on legitimate interests ((Article 6(1)(f) GDPR and (recital 47)), even if the controller had economic interests. The DPA ruled the balancing exercise of the controller’s interests on the one hand, against the interests of the data subjects on the other hand, in favour of the latter. It considered amongst other things that the processing was particularly intrusive.

Violation of the right of access (Article 15 GDPR)

The DPA held that the controller violated Articles 12 and 15 GDPR. It stated that the answer of the controller was only partial, because all the information mentioned in Article 15(1) GDPR was missing from the response. In its response, the controller only referred to its privacy policy. It also only contained results of a search in its database. The DPA determined that the limitation on the right of access for data subjects (twice every year) had no basis at all, because the privacy policy did not specify the retention period of the personal data.

Violation of the right of erasure (Article 17 GDPR)

The DPA held that the controller violated Article 17 GDPR because the controller did not reply to an erasure request by a data subject. The DPA determined that erasure was legally binding because there was no legal basis for the processing.

Violation for lack of cooperation with the DPA (Article 31 GDPR)

The DPA held that the controller violated Article 31 GDPR because it did only partially answer an information request and neglected an order by the DPA to comply with the GDPR.

The DPA fined the controller the amount of €20,000,000 under Article 83 GPDR and considered several aggravating factors, such as the severity of the violation of Article 6 GDPR and the fact that the biometric template of faces in pictures was considered sensitive personal data (Article 9 GDPR).


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.