By Mathieu Rosemain

PARIS (Reuters). CNIL, a French privacy watchdog has ordered Clearview AI in the U.S., a facial recognition firm that collected more than 10 billion images from all over the globe, to stop collecting data and use it for its own purposes.

The CNIL stated that Clearview’s gathering of public facial images via social media and the Internet was without legal foundation and in violation to the EU rules regarding data privacy.

The breach was denied by the company.

Hoan Ton That, the CEO of Clearview AI said that Clearview AI doesn’t have a business location in France or in the EU. He also stated that Clearview AI doesn’t have any customers in France. Clearview AI did not engage in any activity which would make it subject to the GDPR.

EU law allows the regulation framework of GDPR to apply when EU-based Internet service users have their data tracked and processed. This applies even if there is no physical presence of the provider.

DATA CLASSIFICATIONS SENSITIVE’

French regulator has stated that software companies are used by law enforcement and intelligence agencies as search engines for people’s faces. However, the French regulator did not ask permission to access the images collected online.

The authority stated that biometric data were particularly sensitive because they can be linked to physical identities (what we are), and thus allow for unique identification.

The New York-based company was accused of not giving the affected proper access. This included by restricting access to two times a year without any justification and by severely limiting the right to access data that had been accumulated in the twelve months preceding any request.

Clearview’s Ton said in an emailed statement that he has always loved France and “deep respect” for its citizens.

He stated that he was heartbroken by how some French people had misinterpreted the activities of his company. However, he added that it was solely designed to help “communities and their residents live safer, better lives”.

EU law permits citizens to ask for the deletion of their personal information from any privately owned database. Clearview has two months to comply or the CNIL could sanction it.

Privacy International filed a complaint and the decision was taken. Clearview was also asked to cease collecting any images on websites by an Australian counterpart. Clearview is instructed to destroy all data that has been collected within the country.

Clearview was investigated by the U.K. Information Commissioner’s Office. It worked closely with Australians to determine the extent of the violations of data protection laws.

($1=0.7526 pounds)