AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
France clearview ai gdpr12/15/2023 ![]() Transparency (Art 14): The individuals whose images were obtained were not informed of this processing.There is also no legal basis for this processing under Art 6. Clearview AI did not, apparently, even try to argue such a condition is met. Legal basis and special category personal data (Art 6 and 9(1)): Facial biometrics count as “special category data”, so can only be processed if a condition in Art 9 is satisfied.Retention (Art 5(1)(e)): Clearview AI did not have a retention policy and did not appear to have any process to delete old data.The images will also remain in Clearview AI’s database even if they are removed from the internet. In particular, they may not have been uploaded by the individual so there can be no assumption the individual is content for them to be made public. The images may have been taken from the public internet but that does not mean they can be freely used. Fair and lawful (Art 5(1)(a)): Screen scraping is not fair and lawful, as individuals would not be aware that this processing had taken place.The Information Commissioner suggests this is because it “ would be hopeless” to do so, finding breaches of: Clearview AI did not even try to argue it complied with the UK GDPR/GDPR. The conclusions on breach were more robust. Perhaps recognising this is not a conventional interpretation of the monitoring test, the Information Commissioner notes that any other construction would mean data-scraping companies outside the UK would escape the UK GDPR/GDPR “ such a construction is inconsistent with the purposes of the GDPR and UK GDPR, in particular their purpose of providing a high degree of protection to data subjects”. However, given it takes no steps to exclude UK residents from its database, the Information Commissioner concluded it was “ inevitable” a large number of images would be from the UK. Clearview AI refused to disclose how many of the 20 billion odd images in its database relate to UK residents.That monitoring could not take place without the Clearview AI service. While Clearview AI is not directly monitoring the individual’s behaviour, it’s processing is related to monitoring carried out by the customer.In particular, by reviewing the outputs of that search, the customer is seeking to “ ascertain information about a particular individual’s behaviour…over a period of time”. When a customer tries to match the photo of an individual with the faces in Clearview AI’s database it is “ monitoring of the behaviour” of that individual. ![]() The Information Commissioner concluded that Clearview AI was caught on this basis. This means that the only basis upon which it could be subject to the UK GDPR/GDPR as a result of monitoring the behaviour of individuals in the UK (Art 3(2)(b)). Extra-territorial application of the UK GDPRĬlearview AI does not have any presence in the UK and, save for the trial described above, does not offer its services to customers in the UK. For example, Clearview AI has offered its services to the Government of Ukraine in connection with the Russian invasion to identify combatants and the deceased on both sides of the conflict. However, this technology is apparently used for other purposes. In the UK, at least five law enforcement authorities carried out a trial of the system and conducted 721 searches on the system in order to try and identify the individuals. The primary purpose appears to be law enforcement. The intention is that this additional information can then be used to identify the individual in the image. The tool returns potential matches alongside with metadata and URLs associated with the original image. Those facial vectors are then used to search Clearview AI’s database, which is said to extend to some 20 billion images scraped from the public internet. A customer can submit an image that Clearview AI then turns into a set of facial vectors. The Clearview AI toolĬlearview AI operates a facial recognition tool. This raises important questions about both the theoretical jurisdiction of the UK GDPR and the practical limits on extra-territorial enforcement. The UK Information Commissioner has fined Clearview AI £7.5m and ordered it to stop processing data about UK residents. ![]()
0 Comments
Read More
Leave a Reply. |