Facial recognition company Clearview AI has been hit with another order by a country’s watchdog agency to delete the personal data of its citizens, the latest in a global rebuke by privacy regulators around the world.
On Thursday, France’s Commission Nationale Informatique et Libertés (CNIL) said Clearview had breached Europe’s overarching data protection law, known as GDPR. It gave the company two months to delete the personal information it had collected and stop “unlawful processing” of the data.
The order comes after similar decisions from the UK and Australia in recent weeks. Clearview has built its business by scraping people’s photos from the web and social media and indexing them in a vast facial recognition database.
The crackdown follows a series of BuzzFeed News investigations revealing widespread and sometimes unsanctioned use of the company’s facial recognition software around the world. In August, BuzzFeed News reported that France’s Ministry of the Interior is listed as having run more than 400 searches on Clearview, according to the facial recognition company’s internal data. Despite the records, a spokesperson for the agency at the time said it had no information on Clearview.
The Crimes Against Children unit of Interpol, an international police force based in Lyon, France, had tallied more than 300 searches, according to Clearview data. “A small number of officers have used a 30-day free trial account to test the Clearview software,” the unit said at the time. “There is no formal relationship between INTERPOL and Clearview, and this software is not used by INTERPOL in its daily work.”
France’s CNIL on Thursday said Clearview had committed two breaches of the GDPR: One violation was for the collection and use of biometric data “carried out without a legal basis.” Another was for a “lack of satisfactory and effective consideration” in requesting access to people’s data.
In response to the claims, Clearview AI CEO Hoan Ton-That argued that his company isn’t bound by Europe’s data regulation law. “Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR,” he said in an emailed statement.
Clearview has also received blowback in other parts of the world. Last month, the UK’s national privacy watchdog warned the company that it faces a potential fine of £17 million, or $23 million, for “alleged serious breaches” of the country’s data protection laws. The same month, the Office of the Australian Information Commissioner (OAIC) demanded the company destroy all images and facial templates belonging to individuals living in the country.