from the suprisingly-not-terrible-use-of-the-GDPR dept
Clearview is again on the receiving end of an order demanding it delete all the local data it scraped from thousands of websites and social media platforms.
Canada led the way in booting the facial recognition company, ordering its exit in February. A government investigation concluded Clearview had broken the country’s privacy laws with its web scraping and ordered it to delete all Canadian data.
Australia was next, kicking Clearview out in November. It too concluded (after an investigation) that laws were broken by the country. The United Kingdom followed suit, more or less. It didn’t kick Clearview out but threatened it with a $23 million fine and forbade it from processing any more data collected in the UK.
Now, it’s France’s turn. The GDPR is in play this time, which means this announcement is likely to be followed by similar orders from other members of the European Union. Richard Nieva reports on the latest for BuzzFeed.
Facial recognition company Clearview AI has been hit with another order by a country’s watchdog agency to delete the personal data of its citizens, the latest in a global rebuke by privacy regulators around the world.
On Thursday, France’s Commission Nationale Informatique et Libertés (CNIL) said Clearview had breached Europe’s overarching data protection law, known as GDPR. It gave the company two months to delete the personal information it had collected and stop “unlawful processing” of the data.
Clearview hasn’t been actually asked to leave, but considering its business model relies on it breaking local laws, there’s little reason for it to stick around. Its CEO has responded with some overdone shrugging, claiming it doesn’t matter what France says because it doesn’t maintain a local office.
In response to the claims, Clearview AI CEO Hoan Ton-That argued that his company isn’t bound by Europe’s data regulation law. “Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” he said in an emailed statement.
While some of that may be true, it’s pretty clear a lot of it isn’t. I don’t believe Clearview geofences its data-scraping, which means it’s certainly still collecting info on European residents. And claiming it has no customers in France or the EU is demonstrably false.
Data reviewed by BuzzFeed News shows that by early 2020, Clearview had made its way across Europe. Italy’s state police, Polizia di Stato, ran more than 130 searches, according to data, though the agency did not respond to a request for comment. A spokesperson for France’s Ministry of the Interior told BuzzFeed News that they had no information on Clearview, despite internal data listing employees associated with the office as having run more than 400 searches.
While it may be technically true it has no customers in the European Union, entities in the union were at least given trial access to Clearview’s AI and utilized it. Those are the kind of “activities” that would be “subject to the GDPR.” The locals weren’t running searches on American citizens. They were running them on residents of their respective countries, meaning there was searchable data collected by Clearview in violation of the GDPR.
At this point, Clearview may no longer be collecting data on Europeans and other countries that have demanded it delete data. But that doesn’t mean it’s legally in the clear. A belated exit is better than nothing, but no documents have surfaced that show Clearview isn’t still gathering data from areas where it’s been told to cease operations. All we have are Clearview’s assurances, which aren’t all that reassuring, considering they’re half-truths at best. It still has yet to show it has learned anything from the past 18 months of negative coverage and has never offered anything approaching contrition for its horrific actions and incredibly irresponsible business model.