July 14, 2020
We are taking action today against Clearview AI to protect the rights of European citizens.
Four months of fruitless efforts revealed Clearview’s clandestine and illegal practices
In January 2020, Jumbo Privacy discovered that the US company Clearview was sharing individuals’ personal information without their prior authorization to its customers around the world. Among the affected were residents of the European Union, which means that Clearview was violating the EU General Data Protection Regulation (more commonly known as “GDPR”).
Anxious to know the extent of the data collected by Clearview, Zoé Vilain, its Chief Privacy & Strategy Officer and VP of Europe, decided to investigate on our users’ behalf. She found that she herself was included in Clearview’s facial recognition database. GDPR provisions gave Zoé, as a resident of the EU, the right to request Jumbo Privacy to assist in exercising her legal rights to data access and deletion. Jumbo Privacy contacted Clearview to learn exactly what information they had on Zoé Vilain and how it was used.
Clearview was extremely uncooperative in our quest to exercise Zoé’s legal rights. It took us no less than four months of work, nine email exchanges, photo evidence sent, and many other pieces of personal identification elements provided (first and last name, email and postal address, IP address, etc.)
In a move that we believe violates the prohibition of disproportionate requests, Clearview also refused to move forward without even more additional evidence from Zoé, beyond what was provided above.
As a last resort, we sent a formal notice by mail and by email that they had not complied with their legal obligations to allow Zoé access to data held and the right to delete it.
Clearview replied to this formal notice with a PDF document containing a quick search image comparing three pictures with the picture sent by Zoé Vilain. One photo was of an entirely unrelated person. As for additional information in regards to who the information had been shared with and their legal basis for the data collection, a link was provided to a one page privacy policy without relevant information.
This reply was far from being compliant to requirements under the GDPR. Clearview’s answer should have at least included the following information:
Despite the excessively cumbersome process, we were able to confirm our suspicions regarding Clearview’s repeated breaches and violations of the GDPR, in particular:
Jumbo Privacy’s formal complaint aims to put an end to Clearview’s illegal practices
Jumbo Privacy is used to fighting difficult battles in the quest to protect privacy. We were nonetheless surprised by the cumbersome steps required to obtain a legally inadequate answer from Clearview.
Faced with this situation, we have decided to act and take the fight to relevant authorities. We have therefore filed a formal complaint this week before the French Data Protection Authority, the CNIL, in order to put Clearview in the spotlight and to be able to properly defend the privacy of its users against these kinds of illegal practices.
Jumbo Privacy will provide regular updates on this claim.
Have any questions/comments, or want to help us in our privacy research, or have any leads for us to explore? Contact [email protected].
Jumbo Privacy
Team