France's data protection regulator has ordered American facial recognition software firm Clearview AI to stop illegally processing images.
In a statement released today, the CNIL said that Clearview's facial recognition software relies on a database of photographs built by extracting photographs and videos publicly available on the internet.
The data protection authority commanded Clearview to desist from extracting such images from people on French territory and delete the data it had gathered in this manner within two months.
The CNIL launched an investigation into Clearview AI in the spring of 2020 after the authority received complaints from individuals about the company's data practices.
Investigators found that Clearview AI "does not respond effectively to requests for access and erasure. It provides partial responses or does not respond at all to requests."
The association Privacy International also warned the CNIL about Clearview's data practices in May 2021.
"These complaints revealed the difficulties encountered by the complainants in exercising their rights with Clearview AI," said the authority.
CNIL's probe found that Clearview AI had breached the General Data Protection Regulation (GDPR) in force in the European Union in two different ways.
The first violation committed by Clearview AI was the unlawful processing of personal data in breach of Article 6 of the GDPR. CNIL determined that Clearview AI was guilty of this transgression "because the collection and use of biometric data are carried out without a legal basis."
CNIL found that in an "intrusive and massive" process, Clearview AI extracted people's images from the internet for use by its facial recognition software without first obtaining their consent to do so.
"These people, whose photographs or videos are accessible on various websites, including social media, do not reasonably expect their images to be processed by the company to supply a facial recognition system that could be used by States for law enforcement purposes," stated the CNIL.
Clearview's second strike was its "failure to take into account the rights of individuals effectively and satisfactorily, in particular requests for access to their data" in contravention of Articles 12, 15 and 17 of the GDPR