The French regulator CNIL (Conseil Nationale de l’Informatique et des Libertés) on Thursday (Dec. 16) issued an order against Clearview AI requesting that the company stop collecting and using images and personal data obtained through facial recognition and to delete this data.
Clearview AI collects photographs from many websites, including social media, and can also extract images from videos posted online. The company has gathered more than 10 billion images worldwide.
In order to collect these images, Clearview uses facial recognition technology that is introduced in search engines to find a person based on their photograph. To use this technique successfully, the company builds a “biometric template” or digital representation of the person’s face. These biometric data are particularly sensitive, as they may be used to link the digital data to the physical identity.
After an investigation, the French privacy regulator concluded that Clearview didn’t obtain the consent of the people in the photos to collect their images to supply its software. Thus, CNIL stated that Clearview violated the EU General Data Protection Regulation (GDPR) for collecting and using biometric data without a legal basis and for failure to take into account the rights of individuals when they requested access to their data.
Clearview AI has two months to comply with the regulator’s order. If the company fails to comply, the CNIL could impose sanctions, including fines. This order only affects citizens in France, as the regulator’s jurisdiction is in French territory, but the company could face similar investigations and orders in other EU member states.