France Fines Clearview AI €20 Million for GDPR Violations and Unlawful Biometric Surveillance

France’s data protection authority (CNIL) imposed a €20 million fine on Clearview AI - the maximum penalty allowed under GDPR Article 83 - for unlawful processing of biometric data through its facial recognition technology. The CNIL found that Clearview had collected over 20 billion images worldwide and violated multiple GDPR provisions by processing personal data without a legal basis, failing to respect individuals’ rights to access and erasure of their data, and refusing to cooperate with the CNIL investigation.

Regulatory Violations and Non-Compliance

The CNIL investigation, which began after receiving complaints in May 2020 from individuals and Privacy International in May 2021, identified severe breaches of GDPR Articles 6 (lawfulness of processing), 12, 15, and 17 (individual rights), and 31 (cooperation with supervisory authorities). On November 26, 2021, the CNIL gave Clearview AI formal notice to cease collecting and using data of persons on French territory and facilitate individuals’ rights within two months. Clearview AI completely ignored this formal notice and provided no response.

Enforcement Orders with Daily Penalties

Beyond the €20 million monetary penalty, the CNIL ordered Clearview AI to stop collecting and processing data of individuals residing in France without a legal basis and to delete already collected data within two months, with a penalty of €100,000 per day of delay beyond the deadline. The decision emphasized that Clearview’s business model - scraping billions of photos from the internet to create a searchable facial recognition database marketed to law enforcement - fundamentally lacked legal basis under European privacy law.

Significance

This maximum GDPR fine demonstrated Europe’s determination to enforce privacy protections against U.S. surveillance companies operating beyond democratic accountability. The case established precedent that companies cannot operate facial recognition systems in EU jurisdictions without documented lawful grounds, particularly when processing biometric data without consent and ignoring individuals’ erasure requests. Clearview’s complete refusal to respond to regulatory orders revealed how private surveillance companies could operate in defiance of European law while continuing to collect European citizens’ data. The €100,000 daily penalty for non-compliance represented an attempt to create financial consequences severe enough to force compliance, though enforcement against a U.S.-based company remained challenging.