Jumbo Privacy brings a formal GDPR complaint against Clearview

Jumbo Privacy wants to end Clearview’s clandestine activity in the European Union

We are taking action today against Clearview AI to protect the rights of European citizens.

Clearview AI is a US corporation that specializes in facial recognition. They have built a database of several billion photos collected from the web without prior authorization since 2016.
We discovered that Clearview has collected and was sharing (in full violation of EU law) personal information of EU citizens, including a series of photos of Zoé Vilain, our Chief Privacy & Strategy Officer and VP of Europe.
Upon attempting to exercise Zoé Vilain’s right to privacy under EU law, Clearview did not comply with their legal obligations and failed to reply properly to a legal request for data access and data deletion.
In response, Zoé Vilain has filed a complaint this week with the French Data Protection Authority (CNIL).
We are asking the Authority to urgently take all necessary measures to put an end to the clandestine operations of a company whose facial recognition business is now the subject of several investigations launched in recent weeks in Canada, Australia and the United Kingdom.

Four months of fruitless efforts revealed Clearview’s clandestine and illegal practices

In January 2020, Jumbo Privacy discovered that the US company Clearview was sharing individuals’ personal information without their prior authorization to its customers around the world. Among the affected were residents of the European Union, which means that Clearview was violating the EU General Data Protection Regulation (more commonly known as “GDPR”).

Anxious to know the extent of the data collected by Clearview, Zoé Vilain, its Chief Privacy & Strategy Officer and VP of Europe, decided to investigate on our users’ behalf. She found that she herself was included in Clearview’s facial recognition database. GDPR provisions gave Zoé, as a resident of the EU, the right to request Jumbo Privacy to assist in exercising her legal rights to data access and deletion. Jumbo Privacy contacted Clearview to learn exactly what information they had on Zoé Vilain and how it was used.

Clearview was extremely uncooperative in our quest to exercise Zoé’s legal rights. It took us no less than four months of work, nine email exchanges, photo evidence sent, and many other pieces of personal identification elements provided (first and last name, email and postal address, IP address, etc.)

In a move that we believe violates the prohibition of disproportionate requests, Clearview also refused to move forward without even more additional evidence from Zoé, beyond what was provided above.

As a last resort, we sent a formal notice by mail and by email that they had not complied with their legal obligations to allow Zoé access to data held and the right to delete it.

Clearview replied to this formal notice with a PDF document containing a quick search image comparing three pictures with the picture sent by Zoé Vilain. One photo was of an entirely unrelated person. As for additional information in regards to who the information had been shared with and their legal basis for the data collection, a link was provided to a one page privacy policy without relevant information.

This reply was far from being compliant to requirements under the GDPR. Clearview’s answer should have at least included the following information:

Specific information regarding how Zoé Vilain’s pictures shared with Clearview have been processed by Clearview,
The legal basis for the processing of Zoé Vilain’s pictures;
The purpose of Clearview’s search engine in which Zoé Vilain’s pictures were included,
Third parties that accessed Zoé Vilain’s pictures and the purpose for which Zoé Vilain’s pictures were used – the legal basis for such use by third parties,
The period for which Zoé Vilain’s pictures were stored.

Despite the excessively cumbersome process, we were able to confirm our suspicions regarding Clearview’s repeated breaches and violations of the GDPR, in particular:

Clearview is unlawfully obtaining and providing personal data of EU citizens;
There is a complete lack of legal justification on the part of Clearview concerning its collection, storing and sharing to third parties of data belonging to EU citizens;
Clearview demands demonstrably excessive and disproportionate requests for additional identification aimed at discouraging any appeal;
The weakness of answers provided by Clearview and the prohibitive nature of the processes put in place to handle these requests does not allow for affected individuals to easily exercise their legal right to privacy as spelled out under GDPR.

Jumbo Privacy’s formal complaint aims to put an end to Clearview’s illegal practices

Jumbo Privacy is used to fighting difficult battles in the quest to protect privacy. We were nonetheless surprised by the cumbersome steps required to obtain a legally inadequate answer from Clearview.

Faced with this situation, we have decided to act and take the fight to relevant authorities. We have therefore filed a formal complaint this week before the French Data Protection Authority, the CNIL, in order to put Clearview in the spotlight and to be able to properly defend the privacy of its users against these kinds of illegal practices.

Jumbo Privacy will provide regular updates on this claim.

Have any questions/comments, or want to help us in our privacy research, or have any leads for us to explore? Contact [email protected].