Researcher explores Clearview facial recognition, GDPR allegations and enforcement
The collection of biometric data from public images by Clearview AI violates European data protection law, but there is little privacy authorities within the bloc can do about it, a researcher at the University of Leuven’s Centre for IT & IP Law (CiTiP) writes in a two-part blog post.
Catherine Jasserand is a postdoctoral privacy researcher and Marie Skłodowska-Curie fellow at KU Leuven, and is studying the use of facial recognition in public spaces.
Jasserand points out in Part 1 that for images used by Clearview to build its facial recognition database are likely covered under GDPR, since the threshold for data to be considered personal is its usefulness for identification, therefore presumably including any images that Clearview could produce vectors from.
On the question of the extraterritorial scope of Europe’s General Data Protection Regulation, she notes that a foreign entity can be subject to GDPR when it targets an individual in the EU as a customer or to monitor their behavior. The decisions of data protection authorities in France and Hamburg refer to the latter criteria.
Having in Jasserand’s view shown that Clearview’s biometric data collection and operating activities fall under the scope of GDPR in Part 1, the Part 2 post discusses alleged violations and enforcement of GDPR rules.
GDPR provides six different grounds for collecting public information, Jasserand writes, of which Clearview has invoked legitimate interest in defending its practices. That criterion requires a balance between the controller’s interest and individual’s fundamental rights and freedoms, with the latter including a reasonably expectation of how their data will be used. Reasonable expectation of Clearview’s treatment of the data, however, “is hard to argue.”
“As rightly noted by the French DPA, the other legal grounds were not applicable “given the nature of the processing in question.” Clearview AI did not have any legal basis for collecting the photographs,” Jasserand argues.
“As a result, it is not necessary to assess whether the company had a legal ground to process biometric data as these data result from the technical transformation of the photographs themselves illegally collected.”
Clearview’s also violated GDPR’s transparency requirements, Jasserand says, by not informing data subjects that their data was being processed, and data access and deletion requirements have also not been met.
DPA’s and extraterritorial enforcement
European data protection authorities have issued orders to Clearview over its facial recognition database, and even imposed fines, but Jasserand asks how the company can be compelled to comply with decisions made in countries it does not have a presence in.
The U.S. is moving towards greater recognition of international judgements with the March 2022 signing of the Hague Judgements Convention, but in the absence of federal law on foreign judgements, the matter falls to the states, according to Jasserand (who is qualified to the New York Bar).
Judgements would have to be “final, conclusive, and enforceable” to be recognized in the U.S., but the judgements so far are interim or subject to appeal.
Lack of a physical presence and decisions judged contrary to public order could also be grounds for enforcement actions under GDPR to be rejected.
Jasserand concludes that Clearview is currently in violation of GDPR, but the decisions of the DPAs unenforceable.