By Mathieu Rosemain
PARIS -French data privacy watchdog CNIL has ordered U.S.-based Clearview AI, a facial recognition company that has collected 10 billion images worldwide, to stop amassing and using data from people based in France.
In a formal demand disclosed on Thursday, the CNIL stressed that Clearview's collection of publicly-available facial images on social media and the Internet had no legal basis and breached European Union rules on data privacy, known as GDPR.
The company denied the breaches.
"Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR", said the company's CEO, Hoan Ton-That.
Under EU law, the regulatory framework of the GDPR can apply in some cases where data of EU-based users of internet services are tracked and processed, even if the provider has no physical presence inside the bloc.
The French regulator said the software company, which is used as a search engine for faces to help law enforcement and intelligence agencies in their investigations, failed to ask for the prior consent of those whose images it collected online.
"These biometric data are particularly sensitive, notably because they are linked to our physical identity (what we are) and allow us to be identified in a unique way," the authority said in a statement.
It said the New York-based firm failed to give those concerned proper access to their data, notably by limiting access to twice a year, without justification, and by limiting this right to data racked up during the 12 months before any request.
In an e-mailed statement, Clearview's Ton-That said he had always liked France and had "deep respect" for its people.
He said he was "heartbroken" by the way some in France had misinterpreted his company's activities, adding that its sole aim was "to help communities and their people to live better, safer lives".
EU law provides for citizens to seek the removal of their personal data from a privately-owned database. The CNIL said Clearview had two months to abide by its demands or it could face a sanction.
The decision follows several complaints, among them one by advocacy group Privacy International. It follows a similar order by its Australian peer, which told Clearview to stop collecting images from websites and destroy data collected in the country.
The U.K. Information Commissioner's Office, which worked with the Australians on the Clearview investigation, also said last month it intended to fine Clearview 17 million pounds ($22.59 million) for alleged breaches of data protection law.