The European Commission is in consultation with EU data protection authorities following the news that US technology firm Clearview AI has scraped more than three billion facial images from social media sites including YouTube, Facebook and Twitter, without obtaining the permission of users.
It has also transpired following an investigation by Buzzfeed news that the company wants to expand its service to the European market, with nine European countries including Italy, Greece, and the Netherlands as potential partners.
Meanwhile, EURACTIV has been informed by a US official that Clearview AI is not a member of the 2016 EU-US Privacy Shield agreement, which obliges American companies to protect personal data belonging to EU citizens, according to EU standards and consumer rights.
Clearview AI has not as yet disclosed whether any of the images have been harvested from EU citizens. If this were to be the case, the software may violate the EU’s General Data Protection Regulation, Article 4 (14) of which covers the processing of biometric data.
“The Commission is aware of the press reports, we are following the dossier and remain in close contact with national data protection authorities and the European Data Protection Board,” a spokesperson from the EU executive told EURACTIV.
“These technologies don’t operate in a legal vacuum. The use of personal data falls under strict GDPR rules requiring well-defined legal basis and legitimate purposes, that the data subject is aware of the process and has means of redress and verification.”
The official added that the Commission is currently putting the final touches to its plans for a possible regulatory environment for Artificial Intelligence technologies, and is “considering specific requirements for facial recognition.”
This comes following a recent leak that revealed that the Commission is considering measures to impose a temporary ban on facial recognition technologies. However, a later leak removed the suggestion that there could be a moratorium on facial recognition technologies in the EU. The finalised paper is set to be presented by the Commission on February 19.
In EU member states, meanwhile, plans have been recently announced for the rollout of facial recognition technology on the continent. Germany has revealed plans to roll out automatic facial recognition at 134 railway stations and 14 airports, while France also has the intention to establish a legal framework permitting video surveillance systems to be embedded with facial recognition technologies.
For its part, the European Data Protection Board, which the Commission has been consulting following the concerns surrounding Clearview AI, released guidelines on the use of facial recognition technologies in January this year.
“The use of biometric data and in particular facial recognition entails heightened risks for data subjects’ rights,” the paper states. “It is crucial that recourse to such technologies takes place with due respect to the principles of lawfulness, necessity, proportionality and data minimisation as set forth in the GDPR.”
An official from the European Data Protection Board informed EURACTIV that “the GDPR is designed to be technologically neutral and that the EDPB generally does not adopt guidance concerning specific companies.”
The official added, however, that as yet, no questions have been raised to the Board regarding Clearview AI’s software.
Clearview AI provides organisations, predominantly law enforcement agencies, with a database that is able to match images of faces with over three billion other facial pictures scraped from social media sites.
The company has recently been hit with a series of reprisals from social media platforms, who have taken a hostile stance in response to Clearview AI’s operations. In January, Twitter sent a cease and desist letter and requested the deletion of all collected data Clearview had harvested from its platform. YouTube and Facebook followed up with similar actions in February.
Clearview AI claims that they have a First Amendment right to public information, and defends its practice on the basis of assisting law enforcement agencies in the fight against crime. Law enforcement agencies themselves are exempt from the EU’s GDPR.
Moreover, Clearview AI may find further comfort in the fact that last year, the US Ninth Circuit Court of Appeals ruled that automated scraping doesn’t violate the 1986 Computer Fraud and Abuse Act, a law which had often been cited in the fight against mass data scraping.
[Edited by Zoran Radosavljevic]