In February 2020, a complaint had been filed against Clearview AI with the Hamburg data protection commissioner. The company operates a facial recognition app. In the opinion of the authority, Clearview AI had only inadequately answered questions about its business model. With formal Information collection notice the data protection commissioner now wants to force the company’s cooperation. If the company does not provide comprehensive and meaningful answers to the questions posed in the notice by mid-September, the company faces a penalty payment of up to EUR 170,000.
Clearview AI Business Model
The Clearview AI facial recognition app is based on an archive of photos publicly available on the Internet. Clearview AI apparently copied more than three billion photos, e.g. from social networks such as Facebook, Instagram and Twitter. Among them are said to be Photos of people from the European Union are located. The start-up then evaluated these for biometric data. The software is designed to help security agencies identify unknown people from photos. When a Clearview customer uploads a photo of a person to the app, Clearview AI matches it with the photos in its database.
GDPR requirements likely to pose challenges to business model
Clearview AI had not responded to the Hamburg Data Protection Commissioner’s previous questions primarily because, in its view, the European General Data Protection Regulation (GDPR) does not apply at all. Here, the Hamburg data protection commissioner takes a different view. Clearview AI also has customers whose employees are located in the EU and whose behavior as users of the app is in any case monitored by setting cookies. According to Art. 3(2)(b) of the GDPR, the scope of application of the GDPR is opened and Clearview AI is obliged to provide information.
However, the background to the notice seems to be less about user tracking. Rather, the Hamburg data protection commissioner is concerned by the “mass and unprovoked” collection of images online, which makes “individuals identifiable through biometric analysis” and endangers “privacy on a global scale. Indeed, Clearview AI’s business model is likely to face major challenges in complying with the GDPR requirements for biometric analysis of photos. Under the GDPR, the collection and further use of biometric data is only allowed under strict conditions (Art. 9(2) GDPR). Explicit consent for data processing would probably have to be obtained from EU data subjects in accordance with Art. 9(2)(a) GDPR. With billions of photos, this would be a challenging undertaking.
No lawful use of the app by EU law enforcement agencies
EU law enforcement agencies are not allowed to use the app so far. According to the European Data Protection Board lacks a legal basis for the use of biometric facial recognition by European law enforcement agencies. At the same time, the European Data Protection Board announced its intention to develop guidelines regulating the use of automated facial recognition by European law enforcement agencies.
Cooperation of supervisory authorities
Clearview AI has also attracted interest from data protection authorities outside the EU. The UK and Australian data protection authorities launched a July 2020 joint investigation against Clearview AI. Both also want to cooperate with other data protection authorities. The Clearview AI case clearly shows that data protection authorities are increasingly thinking outside the national box and not only taking up subjects under review from other authorities, but also increasingly cooperating. It will be interesting to see whether Clearview AI is impressed by the threat of a fine and the cooperation between the authorities.