The US company accused of violating several GDPR policies should delete data relating to those in Italy.
Another blow to Clearview AI. The company, which specializes in facial recognition, was approved by Italy after being fined by the United Kingdom and formally notified by CNIL in France. On March 9, Guarantee for the security of personal data (GPDP), an Italian company affiliated with CNIL, was fined 20 million euros. He accuses her of being particularly founded “Biometric monitoring of people in Italian territory”.
Following various complaints and reports, it conducted several inquiries and was able to look into it “Clearview AI – Contrary to what it says – allows monitoring of Italian citizens and people in Italy”. GPDP accuses itself of illegally processing personal data, including biometric and geographic information, without proper legal basis.
Violation of the basic principles of GDPR
As a reminder, Clearview AI currently has a database of over 10 billion face images from around the world. These images were extracted from public web resources such as social networks. It is often criticized that these collections were made without the permission of the persons concerned. In the case of GPDP, this is done using web scraping, which is compatible with a technique for extracting content from websites. Clearview AI actually provides its clients, especially law enforcement agencies, with a sophisticated search service that allows them to compare the face image with its database.
GPDP accuses the US company of violating several basic principles of the Public Data Protection Regulation (GDPR) such as transparency or limited retention period. Firstly, it does not inform the users properly and secondly, it does not set the data retention period. Italian authorities have accused him of violating the freedoms of those involved, including privacy and non-discrimination.
Clearview AI was also ordered to clear data related to those in Italy, along with the fines imposed on it. GPDP has banned further data collection and processing using the company’s face recognition system. Finally, the company should appoint a representative to the EU, with whom it will further or alternately contact the US-based data controller.