CNIL (France) - SAN-2022-019
| CNIL - Délibération SAN-2022-019 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 3(2) GDPR Article 6 GDPR Article 12 GDPR Article 15 GDPR Article 17 GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 17.10.2022 |
| Published: | |
| Fine: | 20,000,000 EUR |
| Parties: | Clearview AI |
| National Case Number/Name: | Délibération SAN-2022-019 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The French DPA fined the controller the maximal possible fine of €20,000,000 under Article 83 GDPR for violations of Articles 6, 12, 15, 17 and 32 GDPR for providing an facial recognition service.
English Summary
Facts
The controller is a company which operates a facial recognition tool (the tool) to identify data subjects using pictures and video´s posted online (online content). The controller is established in the United States and has no establishment in the European Union (EU), but it processes personal data of EU data subjects. Specifically, it collects online content in which faces appear, including faces of minors.
The tool indexes freely accessible web pages and social media platforms. After the indexing, the tool extracts all images with faces of data subjects. Based on these images, the controller calculates a mathematical hash for each data subject, which is in turn based on a biometric template of the face in the picture. The mathematical hash is used to make data subjects searchable in the database. The controller sells access to its database to third parties, such as law enforcement. These third parties can upload a picture of a face to start a search for a data subject, after which the tool creates a mathematical hash for this uploaded picture. This new hash is compared with existing hashes. When the hashes are similar, the tool collects all the images with the same hash with a reference to the original source of each picture. This process makes it possible to identify data subjects.
In its privacy policy, the controller stated that data subjects could only exersise their right of access twice a year. The controller did not mention a retention period for the data in this policy.
The DPA received several complaints from the data subjects regarding the rights of access (Article 15 GDPR) and erasure (Article 17 GDPR). One data subject requested a third party to make an access request on her behalf. The controller acknowledged that it had received this request and invited the data subject to use an online platform to exercise her right, but failed to answer to the follow up requests on multiple occasions. When answering to the last request, the controller also asked for the submission of a photograph and ID card and repeated the invitation to use its online platform to exercise the right of access. After 4 months and 7 letters, the controller provided access for this data subject. Another data subject had complained that it had submitted an request for erasure, but had never received an answer form the controller. The DPA started an investigation following these complaints.
Holding
GDPR applicable? (Article 3(2) GDPR)
The DPA held that the GDPR was applicable pursuant of Article 3(2) GDPR. The DPA stated that it was necessary to determine two things: (1) whether the controller processed personal data relating to data subjects in EU territory and (2) if this processing was linked to the monitoring of the behaviour of those individuals (recital 24 and Guidelines 3/2018).
(1) The DPA held that the controller collected three sorts of personal data according to its privacy policy. It determined that the controller collected publicly accessible photographs on the internet, information extracted from these photographs (such as geolocation data) and information from the facial appearance of data subjects in these photographs. The DPA referred to the Rynes-case, stating that the image of the individual photographed or filmed constitutes personal data when the individual can be recognised. The DPA additionally determined that the controller also processed biometric data (Article 4(1)(14) GDRP) and that the collection of pictures also concerned data subjects in the EU.
(2) Secondly, the DPA held that the processing of the controller was linked to the monitoring of the behaviour of data subjects (Article 3(2)(b) GDPR). The DPA stated that the processing merely had to be ‘related’ to the monitoring. It is not necessary that monitoring it the primary purpose of the processing. The DPA stated that monitoring also included profiling (Article 4(1)(4) GDPR and recital 24). (a) The DPA held that the search result associated with a photograph must be qualified as a behavioural profile of the data subject because it contained numerous pieces of information about data subjects or allows access to this information. The DPA stated that the controller created such behavioural profiles using all its collected pictures of data subjects in its database, including links to the original source of the images on the internet. The DPA stated that this made it possible to gather many different bits of information on the data subject. For example, it was possible to identify a social media account of a data subject with the URL and the profile picture. The search result in the database also included metadata, which enabled the possibility of supplementing an individual’s profile. This search also made it possible to identify a data subject’s behaviour on the internet, by analysing what they have decided to put online. (b) The DPA also held that the processing of the controller constituted monitoring on the internet. It stated that the very purpose of the tool was to identify and collect certain information by the controller and made searches into data subjects possible. It also stated that a third party could search multiple times, which made it possible to detect a change in behaviour if the database was updated regularly.
Applicability of one stop shop mechanism
The DPA held that the one-stop-shop mechanism was not applicable in this situation and held that every supervisory authority was competent to deal with this case. The reason for this was the fact that there was no principal place of business or sole establishment of the controller. (Articles 55(1) and 56(1) GDPR and recital 122).
No legal ground for processing (Article 6 GDPR)
The DPA held that the controller violated Article 6 GDPR because it did not have a legal ground for processing (Article 6 GDPR) (recital 47). It stated that the controller processed data solely for commercial purposes, despite the fact of the possibility that its service could be used by law enforcement agencies. The controller’s privacy policy did not mention any mention of a legal basis, and the DPA held that the legal grounds of Article 6(1)(b), 6(1)(c), Article 6(1)(d) and Article 6(1)(e) GDPR were not applicable in this case. It also held that the controller could not rely on legitimate interests ((Article 6(1)(f) GDPR and (recital 47)) because it ruled the balancing exercise of the controller’s interests against the interests of the data subjects in favour of the latter.
Violation of the right of access (Article 15 GDPR) The DPA held that the controller violated Articles 12 and 15 GDPR. It stated that the answer of the control was only partial, because all the information in Article 15(1) GDPR was missing from the response, in which the controller only referred to its privacy policy. It only contained results of a search in the database. It also held that the limitation on the right of access (twice every year) had no basis, because the privacy policy did not specify the retention period of the personal data.
Violation of the right of erasure (Article 17 GDPR) The DPA held that the controller violated Article 17 GDPR because the controller did not reply to an erasure request by a data subject. The DPA determined that since there was no legal basis for the processing, erasure was legally binding
Violation fo lack of cooperation with the DPA (Article 32 GDPR) The DPA held that the controller violated Article 32 GDPR because it did only partially answer an information and neglected an order by the DPA to comply with the GDPR. The DPA fined the controller the maximum amount of €20,000,000 under Article 83 GPDR and considered several aggravating factors, such as the severity of the violation of Article 6 GDPR and the fact the biometric template of faces in pictures was considered sensitive personal data (Article 9 GDPR) according to the DPA.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
