Clearview AI, the controversial facial recognition firm that scrapes selfies and other personal data off the Internet without consent to feed an AI-powered identity-matching service it sells to law enforcement and others, has been hit with another fine in Europe.

Here’s the CNIL’s summary of Clearview’s breaches:

“The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR [General Data Protection Regulation].”

The EU’s GDPR allows for penalties of up to 4% of a firm’s worldwide annual revenue for the most serious infringements — or €20 million, whichever is higher. But the CNIL’s press release makes clear it’s imposing the maximum amount it possibly can here.

Whether France will see a penny of this money from Clearview remains an open question, however.

So the GDPR penalties look mostly like a warning to stay away from Europe.

Clearview’s PR agency, LakPR Group, sent us this statement following the CNIL’s sanction — which it attributed to CEO Hoan Ton-That:

There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.

The statement goes on to reiterate earlier claims by Clearview that it does not have a place of business in France or in the EU, nor undertake any activities that would “otherwise mean it is subject to the GDPR”, as it puts it — adding: “Clearview AI’s database of publicly available images is lawfully collected, just like any other search engine like Google.”

(NB: On paper the GDPR has extraterritorial reach so its former arguments are meaningless, while its claim it’s not doing anything that would make it subject to the GDPR looks absurd given its amassed a database of over 20 billion images worldwide and Europe is, er, part of Planet Earth… )

Ton-That’s statement also repeats a much-trotted out claim in Clearview’s public statements responding to the flow of regulatory sanctions its business attracts that it created its facial recognition tech with “the purpose of helping to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts” — not to cash in by unlawfully exploiting people’s privacy — not that, in any case, having a ‘pure’ motive would make any difference to its requirement, under European law, to have a valid legal basis to process people’s data in the first place.

“We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in France, where we do no business, of Clearview AI’s technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives,” concludes Clearview’s PR.

Each time it has received a sanction from an international regulator it’s done the same thing: Denying it has committed any breach and refuted the foreign body has any jurisdiction over its business — so its strategy for dealing with its own data processing lawlessness appears to be simple non-cooperation with regulators outside the US.

On home turf, Clearview has finally had to face up to some legal red lines recently.

The need to empower regulators so they can order the deletion (or market withdrawal) of algorithms trained on unlawfully processed data does look like an important upgrade to their toolboxes if we’re to avoid an AI-fuelled dystopia.

France fines Clearview AI maximum possible for GDPR breaches by Natasha Lomas originally published on TechCrunch