Information Commissioner’s Office (ICO) (UK)

Commission Nationale de l’Informatique et des Libertés (CNIL) (France)

Garante per la protezione dei dati personali (Italy)

Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (Hellenic Data Protection Authority) (Greece)

Datenschutzbehörde (Austria)

On 27 May 2021, Privacy International (PI) filed complaints against Clearview AI with the UK and French data protection authorities (ICO and CNIL). Simultaneously, similar complaints were filed by Hermes Centre for Transparency and Digital Human Rights in Italy, Homo Digitalis in Greece, and noyb – the European Center for Digital Rights in Austria.

Clearview is a facial recognition company claiming to have built “the largest known database of 3+ billion facial images”. It uses an “automated image scraper” to search the web and collect any images that it detects as containing human faces. All these faces are then run through its proprietary facial software, to build a gigantic biometrics database. Clearview then sells access to this database to private companies and law enforcement authorities.

Various actions have been launched across the globe against Clearview’s practices, in countries with biometrics or data protection regulation. Our European complaints are based on various “data subject access requests”, as well as PI’s technical and legal analyses of Clearview’s practices. After various isolated complaints were filed by individuals against Clearview, and isolated enforcement actions taken by the Hamburg data protection authority and the Swedish data protection authority, the complaints seek a coordinated approach across Europe to tackle an inherently cross-border issue. The regulators have 3 months to respond after filing of the complaints.

The complaints argue that:

• The Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) applies to Clearview’s collection and biometric processing of faces found online, as these consist in mass processing of European residents’ personal data;
• Clearview processes both “regular” personal data (Article 4(1) GDPR) and sensitive or “special categories” data (Article 9(1) GDPR);
• Clearview has no lawful basis for collecting and processing any of this data. In particular, it does not obtain data subjects’ consent and such practices cannot fall under its “legitimate interests”. In addition, the processing of special categories data cannot be considered to be of data that has been “manifestly made public” by the data subject (Article 9(2)(e) GDPR);
• Clearview contravenes a number of other GDPR principles, including the principles of transparency (Article 5(1)(a) GDPR) and purpose limitation (Article 5(1)(b) GDPR);
• The use of Clearview’s tool by law enforcement authorities does not fulfil the conditions for law enforcement processing required by the Law Enforcement Directive (2016/680) as transposed in EU member states’ national laws. The use of such an invasive, privately developed facial recognition database enabling social media intelligence by law enforcement would not be based on law, nor would it be necessary and proportionate.

The complaint filed with the ICO in the UK makes the same arguments, relying on the UK GDPR and the Data Protection Act 2018 instead.

Clearview’s technology and its use further the very harms that European data protection legislation was designed to remedy. PI therefore calls on the regulators to take coordinated enforcement action in order to protect individuals from these highly invasive and dangerous practices.

The article was first published by Privacy International here.

Image credit: Privacy International

(Contribution by: EDRi member, Privacy International)