Summary

In a previous post we discussed the unlawful use of Clearview’s facial recognition software by the Belgian federal police. Now we will take a look at the decisions of the French (CNIL), Italian (Garante per la protezione dei dati personali) and British (ICO) Data Protection Authorities (DPAs) who have ruled that Clearview itself is in breach of several provisions of the GDPR (and the GDPR UK for the British data subjects).

Although there are some differences in the rulings, the DPAs main reasonings are similar, namely a lack of legal basis, lack of transparency and violation of data subject rights.

• Lack of legal basis

Article 6 GDPR states that the processing of personal data is lawful if, and to the extent that at least one of the conditions listed in the same article is met. As Clearview scrapes the internet for human images, it is clear that people appearing in this images have not given their consent. Other legal bases such as legal obligation or vital interest, seem also highly unlikely to be available. That leaves the legitimate interest as only possible legal basis.

The CNIL refers to Opinion 06/2014 of the former Article 29 Working Party which highlights that “personal data, even if it has been made publicly available, continues to be considered as personal data, and its processing therefore continues to require appropriate safeguards. There is no blanket permission to reuse and further process publicly available personal data under Article 7(f)”.

Moreover, even if the legitimate interest of Clearview is based on the economic interest it derives from its database, a balancing exercise is required between the interest and the rights and freedoms of the data subjects, taking into account the reasonable expectations of individuals.

The CNIL considers the processing by Clearview as very intrusive: it collects a large amount of photographic data on a given person, together with other personal data that may reveal various aspects of the private life. It must also be considered whether the data subjects could reasonably expect, at the time and in the context of the collection of their personal data, that these would later be processed by Clearview. While they may reasonably expect third parties to access the photographs in question from time to time, the fact that they are publicly accessible is not sufficient to consider that the data subjects may reasonably expect their images to be used in facial recognition software.

For these reasons, in view of all these elements, the infringement of the privacy of individuals appears disproportionate to the interests of Clearview, in particular its commercial and financial interests, and the legal basis of the company's legitimate interest cannot be accepted.

• Lack of transparency and violation of data subject rights

According to ICO the processing by Clearview is not transparent because it is invisible to data subjects, since they are not made aware of the processing and would not reasonably expect their personal data be processed in this way. They also do not comply with Article 14 GDPR in relation to the provision of information to data subjects, as the latter would not “be aware of Clearview’s processing unless they happened to come across Clearview’s website (which describes the processing in general terms) and/or they happened to read reports about it in the media”.

Both the Garante and the CNIL instigated their investigations following complaints with regards to the right of access (Article 15 GDPR). The complainants did not receive the information in a timely manner and only received partial information. In addition, Clearview did not facilitate the complainants’ exercise of their right to access for instance “by only agreeing to respond to the complainant's access request after seven letters and more than four months after her initial request, and by requiring a copy of her ID when the complainant had already provided identifying information and a photograph of herself”. Moreover, the company's privacy policy limited the exercise of the right of access to personal data collected in the twelve months preceding the request and restricted the exercise of this right to twice a year.

Finally, the CNIL also finds a violation of Article 17 (the right to be forgotten) because the complainant did not receive any response from Clearview with regards to the deletion of her personal data that she had requested. Regarding this right, the ICO found that “although Clearview has previously operated a mechanism for allowing data subjects to seek to have their personal data removed from the Clearview Database, it has now ceased to do so”, implying that the company also infringes on Article 17.

• Other considerations

The ICO and the Garante find a violation regarding the principle of storage limitation (Article 5.1. (e) GDPR). The company does not have a data retention policy which leads to the belief that personal data is stored for an indefinite period. According to the ICO, its evidence indicates that the scale of the Clearview Database continues to grow.

In addition, they find a violation of the processing of special categories of personal data (Article 9(1) GDPR). The processing carried out by Clearview is not limited to a mere collection of data, but also consists of further processing that makes the collected images 'biometric data' and, therefore, subject to the stricter protections of Article 9 of the GDPR. In order to justify the processing of special categories of data, a controller can never invoke only a legal basis under Article 6 (supra), but must also apply, in a cumulative manner, the provisions of the aforementioned Article 9 in order to guarantee the relevant level of protection. In addition to having no legal basis under Article 6, Clearview does not satisfy the conditions set out in Article 9(2) GDPR in relation to its processing of biometric data.

Finally, the ICO finds that the company has failed at any time to conduct a DPIA (Art. 35 GDPR) in respect of its processing of the personal data of UK residents. Nor is there any indication in the Representations that Clearview intends to do so at any point in the future.

In its response to the rulings Clearview argues that it is not subject to the GDPR (UK) as they do not conduct business in the countries where they were investigated. Indeed, the Garante also ordered Clearview to appoint a representative in the EU “in order to facilitate exercise of data subject rights”. Although the GDPR has an extraterritorial reach, it remains to be seen how sanctions against foreign entities that don’t have any local establishments or executives in the EU will be enforced.