Challenge against Clearview AI in Europe
This legal challenge relates to complaints filed with 5 European data protection authorities against Clearview AI, Inc. ("Clearview"), a facial recognition technology company building a gigantic database of faces.
Information Commissioner’s Office (ICO) (UK)
Commission Nationale de l’Informatique et des Libertés (CNIL) (France)
Garante per la protezione dei dati personali (Italy)
Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (Hellenic Data Protection Authority) (Greece)
On 27 May 2021, Privacy International (PI) filed complaints against Clearview AI with the UK and French data protection authorities (ICO and CNIL). Simultaneously, similar complaints were filed by Hermes Centre for Transparency and Digital Human Rights in Italy, Homo Digitalis in Greece, and noyb – the European Center for Digital Rights in Austria.
Clearview is a facial recognition company claiming to have built “the largest known database of 3+ billion facial images”. It uses an “automated image scraper” to search the web and collect any images that it detects as containing human faces. All these faces are then run through its proprietary facial software, to build a gigantic biometrics database. Clearview then sells access to this database to private companies and law enforcement authorities.
Various actions have been launched across the globe against Clearview’s practices, in countries with biometrics or data protection regulation. Our European complaints are based on various “data subject access requests”, as well as PI’s technical and legal analyses of Clearview’s practices. After various isolated complaints were filed by individuals against Clearview, and isolated enforcement actions taken by the Hamburg data protection authority and the Swedish data protection authority, the complaints seek a coordinated approach across Europe to tackle an inherently cross-border issue. The regulators have 3 months to respond after filing of the complaints.
The complaints argue that:
- The Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) applies to Clearview’s collection and biometric processing of faces found online, as these consist in mass processing of European residents’ personal data;
- Clearview processes both “regular” personal data (Article 4(1) GDPR) and sensitive or “special categories” data (Article 9(1) GDPR);
- Clearview has no lawful basis for collecting and processing any of this data. In particular, it does not obtain data subjects’ consent and such practices cannot fall under its “legitimate interests”. In addition, the processing of special categories data cannot be considered to be of data that has been “manifestly made public” by the data subject (Article 9(2)(e) GDPR);
- Clearview contravenes a number of other GDPR principles, including the principles of transparency (Article 5(1)(a) GDPR) and purpose limitation (Article 5(1)(b) GDPR);
- The use of Clearview’s tool by law enforcement authorities does not fulfil the conditions for law enforcement processing required by the Law Enforcement Directive (2016/680) as transposed in EU member states’ national laws. The use of such an invasive, privately developed facial recognition database enabling social media intelligence by law enforcement would not be based on law, nor would it be necessary and proportionate.
The complaint filed with the ICO in the UK makes the same arguments, relying on the UK GDPR and the Data Protection Act 2018 instead.
Clearview’s technology and its use further the very harms that European data protection legislation was designed to remedy. PI therefore calls on the regulators to take coordinated enforcement action in order to protect individuals from these highly invasive and dangerous practices.
The article was first published by Privacy International here.
Image credit: Privacy International
(Contribution by: EDRi member, Privacy International)
Ban Biometric Mass Surveillance Today
If you're an EU citizen, you can help us change EU laws by signing the official #ReclaimYourFace initiative to ban biometric mass surveillance practices:
This ECI is open to all EU citizens, even if you currently live outside the EU (although there are special rules for Germany). Unfortunately if you are not an EU national, the EU’s official rules say that you cannot sign. Check https://reclaimyourface.eu other ways than non-EU citizens can help the cause.
Note to German citizens: It is possible to sign our ECI petition if you live outside the EU, but German rules mean that for German citizens specifically, your signature will only be valid if you are registered with your current permanent residence at the relevant German diplomatic representation. If you are not registered, then unfortunately your signature will not be counted. You can read more information about the rules. This rule does not apply to citizens of any other EU country.
Legally, if we reach 1 million signatures (with minimum thresholds met in at least 7 EU countries) then the European Commission must meet with us to discuss our proposal for a new law. They must then issue a formal communication (a piece of EU soft law) explaining why they are or are not acting on our proposal, and they may also ask the European Parliament to open a debate on the topic. For these reasons, a European Citizens’ Initiative (ECI) is a powerful tool for getting our topic onto the EU agenda and showing wide public support for banning biometric mass surveillance practices.