It is important that Clearview AI Inc
Not only should all the photos you’ve collected so far of the Greek residents be deleted, but the biometric information needed to identify a particular face.
The background to the case is that several organizations, including Noyb, Privacy International (PI), Hermes Center and Homo Digitalis, filed a complaint against Clearview AI Inc. In May 2021 to the data protection authorities of France, Austria, Italy, Greece and England, resulting in the fourth time that Clearview AI Inc. has been sanctioned.
• In December 2021, the French data protection authority (CNIL) ordered Clearview AI Inc. to delete its image database and to cease data collection, as well as to facilitate the exercise of the rights of data subjects and compliance with deletion requests (CNIL Statement over here available in french)
• In February 2022, the Italian Data Protection Authority (GPDP) also fined the company 20 million euros and ordered the deletion of data collected on Italian citizens as well as the discontinuation of biometric data processing (decision over here Available in Italian)
• In May 2022, the UK Data Protection Authority (ICO) fined the company £7.5 million and ordered it to stop collecting and using publicly available personal data online for UK residents and to delete UK resident data from your systems (decision over here Available in English).
What does Clearview AI do?
Clearview AI Inc. It is an American company that develops facial recognition software based on artificial intelligence. According to their claim
They have the largest known database containing billions of facial images,
Collected from social media platforms and other online sources. Those concerned are not informed that their personal data is being collected and used in this way. Clearview AI uses an automated tool that visits public websites and collects images it discovers that contain human faces. Besides images, the automatic tool also collects metadata that complement images, such as website address and link.
The facial images collected are matched with facial recognition software created by the company to create the database. Clearview AI Inc. This database is accessible internationally to private companies and law enforcement agencies.
Customers can upload the photo of the person they are looking for in the app, which checks if there is an identity between the uploaded photo and the photos in the database. The application creates a list of images that have similar characteristics to the image provided by the customer and provides a link to the websites from which the images are obtained.
What is the problem in that?
In the decisions, it was established that data management did not have an appropriate legal basis, the principle of commitment to purpose and limited storage capacity was not applied, and that data management processes were not transparent. In addition, data subjects are not properly informed about data management, nor do they have the opportunity to exercise their rights under the GDPR.
What is the lesson from the case?
Clearview AI Inc. It has previously stated itself that it is not based in the European Union, has no customers in the European Union, and does not carry out any activities that would fall within the scope of the General Data Protection Regulation (GDPR). However, the GDPR has extraterritorial effect, which means that it also covers cases where a person located in a third country manages the personal data of EU citizens, i.e. because Clearview AI Inc. It collects data on EU citizens (also), it is included in the GDP range regardless of whether the company is based in the US.
Implementation of sanctions, especially in the absence of local representation, can cause practical difficulties. For example, data protection authorities have the option of launching an investigation with the company’s clients, as the Swedish Data Protection Authority did last year, fined local police for the illegal use of Clearview AI Inc’s facial recognition software. (The decision is in Swedish over here Available).
The case of Clearview AI Inc. It is another example of the fact that companies using artificial intelligence are increasingly subject to scrutiny by data protection authorities, and if their data management practices do not fully meet the requirements of the General Data Protection Regulation (GDPR), they may face heavy fines.
“Providing adequate information is key, and in this regard it is worth mentioning the EU draft regulation on artificial intelligence. Regarding high-risk artificial intelligence systems (such as “real-time” and “non-real-time” AI system for remote identification ” remotely for natural persons), it is strict: among other things, it creates information obligations, the violation of which is high, in the case of using prohibited practices, a fine of up to 30 million euros must be calculated. An important lesson learned from the presented cases is that the authorities Individual national data protection can impose data protection fines independently of each other, which can be up to several times the maximum fine specified in the GDPR.” Dr. said. Albert Lilly, legal expert in Deloitte Legal’s data protection and technology group.
“With services based on personal data, there is an increased risk that the data protection authorities will prohibit the continuation of a seriously illegal business model, making the work carried out until then impossible. In the current case, it is difficult to imagine how the service could comply with the General Regulation To protect data, especially as criminal and private personal data is also handled, and the company’s activities raise privacy law and even criminal law issues.Dr. Zsombor Orbán, senior attorney in the data protection and technology group at Deloitte Legal added.
Cover photo illustration (Shutterstock)
“Friendly thinker. Wannabe social media geek. Extreme student. Total troublemaker. Web evangelist. Tv advocate.”