Facial recognition systems: 20 million fine against the American company Clearview.
The facial recognition platform
The platform developed by Clearview was a search engine, based on a machine learning technology that is subject to a patent application, which allows the service's client to find within the database the facial images of the searched subject.
In particular, the platform was based on a database of over 10 billion facial images collected on the Internet (e.g. social networks, blogs, websites, etc.) from publicly accessible sources through web scraping techniques; such images were subjected to a biometric processing with subsequent hashing for indexing and search purposes.
These images, processed into biometric data (512 vectors were used to identify the individual lines of a face), were then combined with metadata that could reveal particularly sensitive information, such as racial or ethnic origin, political opinions, religious or philosophical beliefs or even trade union membership or the title of the photo or web page, the link to the source, the geolocation, gender, date of birth, nationality and language.
Upon client's request to obtain images of a specific person, the artificial intelligence system created by the American company interrogated its database: first matching the requested image with its own data, then extracting all the corresponding images and finally presenting them to the client as a result of the search together with the metadata and the associated links.
The biometric search service offered by Clearview AI Inc. was not freely available to the public, but, as stated by the company itself, was targeted for certain categories of clients, including police forces and government agencies.
The main violations
During the preliminary phase, the Company declared that the services were not offered in Europe and, for this reason, it had not complied with the obligations provided for by the GDPR and that, in any case, it did not offer such service as a data controller.
However, the Italian DPA deemed that the service fell within the scope of the GDPR, since:
- the privacy requests of the Italian data subjects had been satisfied (although partially);
- in the past the service was also extended to European territory, as stated by the company itself;
- other EU DPA (Sweden) confirmed the existence of the processing in the EU territory.
Moreover, the Italian DPA confirmed that the company operated as a data controller, since it defined the methods and sources of data collection, created the facial recognition algorithm and determined the parameters for indexing its information and enriching it with metadata useful for more effective search results. There was also a purpose completely autonomous to the client’s ones, consisting in making available, upon payment, information -such as images and metadata- useful to clients for different and further purposes.
Clearview's mistaken belief that the European legislation was inapplicable has resulted in the violations of the major principles and obligations set forth in the GDPR, including:
- the failure to comply with the principles of lawfulness, fairness and transparency, since the data subjects had no contact with the Company, they were not directly or indirectly informed of the activities carried out by the Company, nor they received any information even by consulting the Clearview website;
- the failure to comply with the purpose limitation principle, since, according to the Italian DPA, the public nature of the online images was not sufficient to assume that the persons concerned could reasonably expect to be subjected to a facial recognition system offered by a private company not established in the European Union and of whose existence most of the persons concerned were unaware;
- the unlawful use of the legitimate interest as the legal basis for the processing since, according to the Italian DPA, such activities implied a particular intrusiveness in the private sphere of individuals, so that the legitimate interest claimed by the Company, consisting of a mere profit-making purpose, could not prevail over the rights and freedoms of the data subjects;
- the lack of reference in the privacy policy to the GDPR and to the main information required by it;
- the information made available to data subjects who have exercised their privacy rights was not provided in a comprehensive manner and in time;
- the failure of the U.S. data controller to designate a representative in the European Union.
Based on these violations, the Italian DPA imposed an administrative fine of 20 million euros on Clearview. The Authority also ordered the company to delete the data relating to people located in Italy and prohibited further collection and processing through its facial recognition system.
The decision of the Italian DPA is not the only one: the Canadian data protection authority ("OPC") has also condemned Clearview AI Inc. for not having obtained the consent to the processing of data in the context of the same facial recognition service (the images present online, according to the OPC, could not be freely processed on the basis of the publicity of the data exception); similarly, the British and Australian authorities, during a joint investigation, as well as Sweden, have considered such processing illegitimate.
Conclusions
Besides strongly condemning the facial recognition activity carried out without the appropriate safeguards, the measure represents also an important precedent on the web scraping; the Italian DPA, in fact, stated that "the collection of personal data freely available on the Internet by means of web scraping techniques" "constitutes a processing of personal data, which must be justified by one of the legal bases provided for by art. 6 of the Regulation" and then specified that, in this case the web scraping could not be considered lawful since the legitimate interest was not an appropriate legal basis and there was no transparency in the relationship with the data subjects.
The Italian DPA's decision on Clearview AI Inc.'s service does not imply, as such, a ban on the use of facial recognition systems, which, according to current legislation, may actually be used within certain limits and under certain conditions.
Article provided by INPLP member: Chiara Agostini (R&P legal, Italy)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)