In addition, Clearview did not facilitate the complainants’ exercise of their right to access for instance “by only agreeing to respond to the complainant's access request after seven letters and more than four months after her initial request, and by requiring a copy of her ID when the complainant had already provided identifying information and a photograph of herself”. The complainants did not receive the information in a timely manner and only received partial information. They also do not comply with Article 14 GDPR in relation to the provision of information to data subjects, as the latter would not “be aware of Clearview’s processing unless they happened to come across Clearview’s website (which describes the processing in general terms) and/or they happened to read reports about it in the media”.īoth the Garante and the CNIL instigated their investigations following complaints with regards to the right of access (Article 15 GDPR). Lack of transparency and violation of data subject rightsĪccording to ICO the processing by Clearview is not transparent because it is invisible to data subjects, since they are not made aware of the processing and would not reasonably expect their personal data be processed in this way. While they may reasonably expect third parties to access the photographs in question from time to time, the fact that they are publicly accessible is not sufficient to consider that the data subjects may reasonably expect their images to be used in facial recognition software.įor these reasons, in view of all these elements, the infringement of the privacy of individuals appears disproportionate to the interests of Clearview, in particular its commercial and financial interests, and the legal basis of the company's legitimate interest cannot be accepted. It must also be considered whether the data subjects could reasonably expect, at the time and in the context of the collection of their personal data, that these would later be processed by Clearview. The CNIL considers the processing by Clearview as very intrusive: it collects a large amount of photographic data on a given person, together with other personal data that may reveal various aspects of the private life. Moreover, even if the legitimate interest of Clearview is based on the economic interest it derives from its database, a balancing exercise is required between the interest and the rights and freedoms of the data subjects, taking into account the reasonable expectations of individuals. There is no blanket permission to reuse and further process publicly available personal data under Article 7(f)”. The CNIL refers to Opinion 06/2014 of the former Article 29 Working Party which highlights that “personal data, even if it has been made publicly available, continues to be considered as personal data, and its processing therefore continues to require appropriate safeguards. That leaves the legitimate interest as only possible legal basis. Other legal bases such as legal obligation or vital interest, seem also highly unlikely to be available. As Clearview scrapes the internet for human images, it is clear that people appearing in this images have not given their consent. Now we will take a look at the decisions of the French ( CNIL), Italian (Garante per la protezione dei dati personali) and British ( ICO) Data Protection Authorities (DPAs) who have ruled that Clearview itself is in breach of several provisions of the GDPR (and the GDPR UK for the British data subjects).Īlthough there are some differences in the rulings, the DPAs main reasonings are similar, namely a lack of legal basis, lack of transparency and violation of data subject rights.Īrticle 6 GDPR states that the processing of personal data is lawful if, and to the extent that at least one of the conditions listed in the same article is met. In a previous post we discussed the unlawful use of Clearview’s facial recognition software by the Belgian federal police.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |