Yesterday the Italian Data Protection Authority (the Garante) fined Clearview AI €20m for GDPR violations. It is the latest in a series of regulatory actions in Europe and in Australia against Clearview AI and it also continues a trend of AI enforcement in Italy.
What was this about?
Clearview AI is a US based corporation which claims to use innovative AI technology to identify individuals including people wanted by law enforcement. According to the Garante they claim to have more than 10 billion images indexed in their database including people in Italy. Some of their images have been scrapped from social media although a number of social media operators including twitter, YouTube and Facebook have asked them to stop this practice. It is fair to say that their technology, its use, and some of its customers, have been controversial. Proceedings have been issued against them and a number of DPAs have received complaints. There is more on the background to those previous investigations here https://www.corderycompliance.com/clearview-to-close-oz-ops/.
What was the Italian investigation about?
As we’ve said previously DPAs have become much more interested in AI recently. In Spain and Italy there has been a long-running investigation into AI in food delivery with two fines handed down last year (see https://bit.ly/aiitfines).
The Italian DPA found that Clearview AI had obtained data unlawfully. It also said “The company has also violated other basic principles of the GDPR, such as those relating to the transparency obligations, by not having adequately informed users, of limitation of the purposes of the processing, having used user data for purposes other than those for which they were published online and to limit storage, not having established data retention times. Clearview AI’s activity therefore violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against.”
As well as the fine, as with other DPAs, Garante also ordered the company to delete data relating to people in Italy and prohibited further collection and processing through its facial recognition system.
What does this mean?
The case clearly has implications for AI and shows again the conflict between the ‘secret sauce’ nature of AI and the need for transparency under GDPR. It also has wider implications for anyone using surveillance too – even something as simple as CCTV can cause compliance problems – we’ve looked at the general issues with CCTV here https://www.corderycompliance.com/client-alert-using-cctv-on-business-premises-dp-implications/ and specific cases with CCTV in the workplace in Germany here https://www.corderycompliance.com/german-cctv-fine/ and the use of Ring doorbells here https://www.corderycompliance.com/cctv-audio-breaches-dpa-rules/. In France the DPA has also taken action over surveillance by drone (see https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042960768).
What happens next?
It is likely that the troubles for those using AI will continue. Clearview AI may seek to challenge the findings as it has with the findings of other DPAs. Given the determination that data has been processed unlawfully, we can also expect litigation. We have talked before about the rise in data protection litigation in Europe and, despite the doors closed by the Supreme Court Judgment in Lloyd v Google LLC (see here https://www.corderycompliance.com/lloyd-v-google-ruling/), we can still expect claimants to try. There has been litigation against Clearview AI in the US and litigation in Europe seems likely. We’ve talked more generally about the rise in data protection litigation here https://www.corderycompliance.com/episode-271-techlaw10-legal-class-actions-us-europe/.
All of these cases also show public concern about surveillance and monitoring which is likely to be a feature of more significant cases too.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
There are more details of the fine here https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9751323.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785