Zebeth Media Solutions

GDPR

After key privacy and security departures last week, Twitter names ‘acting DPO’ • ZebethMedia

Following a flurry of resignations of senior Twitter privacy and security staffers late last week, the social media firm has informed its lead data protection regulator in the European Union that it has appointed an “acting” replacement for one of those positions: The key role of data protection officer (DPO). The abrupt departures of Twitter’s CISO Lea Kissner; chief privacy officer (and DPO) Damien Kieran; and chief compliance officer Marianne Fogarty immediately raised questions over its ability to meet regulatory requirements under new, norm-trashing broom, Elon Musk — who only completed his $44 billion takeover at the end of last month. A company that’s processing personal data at the scale Twitter does is obliged, under the European Union’s General Data Protection Regulation (GDPR), to at least have a DPO — at a bare minimum. Twitter also has a 2011 consent decree with the FTC that requires it to submit regular reports on how it’s living up to ongoing commitments to safeguard user data — so the sudden departure of senior privacy and security staffers immediately set alarm bells ringing. Including at the Irish Data Protection Commission (DPC), Twitter’s lead data supervisor for the EU’s GDPR. A meeting between the DPC and Twitter followed hard on the heels of the trio of resignations — arranged last week and taking place yesterday — and at this meeting the DPC said Twitter informed it that it has appointed an existing employee, Renato Monteiro, as its “acting DPO”. Monteiro has been employed at Twitter for two years nine months, per his LinkedIn profile — starting in Match 2020 in São Paulo, Brazil, as a Data Protection Counsel Lead for Latin America, before relocating to Twitter Ireland this summer to take up a role as director for international privacy and data protection lead — managing privacy and data protection teams in Europe, the Middle East and Africa, North and South America and APAC. It is not clear why Monteiro has only been named “acting” DPO — or whether his appointment is intended only as a stop-gap while a full replacement is sought, or not. Since Musk took over Twitter, the company has stopped responding to press enquiries so it is not possible to obtain confirmation via an official channel. But Musk appears to have a penchant for appointing ‘acting’ rather than actual job titles, as well as for playing with absurd job titles (such as initially christening himself “chief twit“, after he fired and took over from the actual CEO; followed by Musk becoming “Twitter complaint hotline operator“, seemingly as a commentary on users responding negatively to his early product decisions and other changes). One question that’s likely to arise, therefore, is whether Monteiro is being invested with the full responsibilities and duties required by the DPO role under GDPR — and, if not, whether an ‘acting’ framing will pass muster with EU regulators or not. At the time of writing the DPC had not responded to our question on this point. But we’ll update this report if we get a response. Last week, the Irish regulator told us that in addition to using Monday’s meeting with Twitter to seek information from it about the DPO situation it planned to discuss a wider concern — to ask whether the business is still claiming its main establishment (for GDPR purposes) in Ireland. This structure is important because it enables Twitter to participate in the GDPR’s one-stop-shop (OSS) mechanism — which sets up the DPC as its lead data supervisor for EU data protection issues and means complaints made elsewhere in the bloc are typically funnelled via Ireland — allowing the US-based company to streamline its GDPR compliance and shrink regulatory risk. However, given all the drastic changes accompanying Musk’s takeover of Twitter — including, reportedly, standard privacy and security review processes being dispensed with — doubts are being cast over whether Twitter can still credibly claim main establishment in Ireland, as we reported yesterday. The DPC’s deputy commissioner Graham Doyle declined to provide an update on its questioning of Twitter’s main establishment status following yesterday’s meeting — saying only: “We continue to engage with Twitter.” Other EU data protection agencies are likely to be watching developments on this front exceedingly closely. A spokesperson for France’s CNIL told ZebethMedia it will be approaching the DPC to discuss the nature and “possible consequences” of changes reported to have taken place at Twitter since Musk took over. Although the regulator also told us that, at present, it does not have “sufficient information” to question the application of the OSS. “Until now, the evidence available to the supervisory authorities has led them to consider that Twitter’s principal place of business in the EU was in Ireland, which made the DPC the lead authority. The CNIL intends to approach the DPC to discuss about the nature and possible consequences that the changes mentioned in the press are likely to have on the role and status of Twitter’s Irish establishment,” the CNIL’s spokesperson said. “At this stage, the CNIL does not have sufficient information to consider that the application of the one-stop shop system is in question.”

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop? • ZebethMedia

Helmed by erratic new owner Elon Musk, Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called “main establishment” under the European Union’s General Data Protection Regulation (GDPR), a source familiar with the matter has told ZebethMedia. Our source, who is well placed, requested and was granted anonymity owing to the sensitivity of the issue — which could have major ramifications for Twitter and for Musk. Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is ‘main established’ (in Twitter’s case Ireland), rather than having to accept inbound from data protection authorities across the bloc. However, under Musk’s chaotic reign — which has already seen a fast and deep downsizing of Twitter’s headcount, kicking off with layoffs of 50% of staff earlier this month — questions are being asked over whether its main establishment status in Ireland for the GDPR still holds or not. The resignation late last week of key senior personnel responsible for ensuring security and privacy compliance looks like a canary in the coal-mine when it comes to Twitter’s regulatory situation — with CISO Lea Kissner; chief privacy officer Damien Kieran; and chief compliance officer Marianne Fogarty all walking out the door en masse. It’s not clear whether any adequately qualified individuals will be willing to step into these critical compliance roles for privacy and security at Twitter given the current Musk-driven craziness — since anyone signing up for that level of responsibility risks opening themselves up to personal liability should regulatory requirements be breached on their watch. As we reported Friday, Musk’s attorney and now head of legal at Twitter, Alex Spiro — who has reportedly been given a key role in the overhaul of the platform — emailing all staff on behalf of “Elon” to claim they face no personal liability will surely sound alarm bells at regulators over Twitter’s direction of travel. Last week, The Verge also reported on turmoil inside Twitter’s privacy and security function as standard review procedures were dispensed with and engineers were asked to “self certify” compliance with FTC rules. Its report also cited an unnamed company lawyer who it said had Slacked employees to warn them that changes to how Twitter operates is piling personal, professional and legal risk onto engineers instructed to implement Musk’s will regardless of consequences. Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators. Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiralling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signalling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover. Twitter has not commented publicly on the DPC’s warning nor on the departures of senior regulator-facing staffers. Indeed, since Musk took over, its communications department appears to have been dismantled and the company no longer responds to press requests for comment — so it was not possible to obtain an official statement from Twitter about these departures or on the substance of our report. (We’re happy to add a response if Twitter or Musk wants to send us one.) For Twitter’s business itself, there are a number of potential consequences in play if its ability to meet regulatory requirements falls. If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland the company will crash out of the OSS — opening it up to being regulated by data protection authority across the bloc’s 27 Member States which would become competent to oversee its business. In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland. If Twitter loses its ability to claim main establishment in Ireland it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. (Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.) The GDPR does not set out specific criteria for assessing main establishment. But, in Twitter’s case — in order for it to be able to fulfil the regulation’s requirement of “effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” actually taking place locally, in Ireland, despite Twitter product development being led out of the US — we understand that the company devised a careful legal framework which was designed to empower an Irish entity to be the data controller for EU users by ensuring that this Ireland-located Twitter company, which has its own board of directors subject to

Twitter’s lead EU watchdog for data protection has fresh questions for Musk • ZebethMedia

In parallel with the FTC’s ominous warning to Elon Musk’s Twitter yesterday — that ‘no CEO or company is above the law‘ — the microblogging platform’s lead regulator in the European Union is on its case in the wake of senior staffers in charge of security and privacy compliance walking out the door. Graham Doyle, a deputy commissioner at Ireland’s Data Protection Commission (DPC), which currently leads oversight of Twitter under the EU’s General data Protection Regulation (GDPR), told ZebethMedia it’s in contact with the company following media reports yesterday that its data protection officer (DPO) had resigned. A meeting between the DPC and Twitter will take place early next week, according to Doyle. He also confirmed to us that Twitter had not informed the regulator of the DPO’s departure prior to the media reports. Getting clarity over the DPO situation will be top of the meeting agenda, per Doyle. But he said the regulator now has another concern it wants to discuss with Twitter — regarding whether Twitter’s main establishment, for GDPR purposes, is still located in Ireland… Next stop: One-stop-shop stopped? “One of the issues that we want to discuss is the issue around main establishment,” Doyle told ZebethMedia. “They’re obliged to have a data protection officer in place and provide us with the details but equally, under the [GDPR] one-stop-shop (OSS) mechanism in order to get a main establishment to engage with one regulator, the decision making processes — in terms of the processing of EU data — needs to take place in that country. That’s one of the principles of main establishment. And what we want to establish is that that is continuing to be the case for Twitter.” Ireland being Twitter’s lead regulator for the GDPR under the OSS is important because it puts the Irish watchdog in the driving seat when it comes to opening inquiries (or not), or otherwise acting on concerns over Twitter’s compliance (such as following up on the un-notified resignation of its DPO now). From Twitter’s point of view, the arrangement is advantageous because it streamlines compliance since it only needs to liaise with one (lead) regulator over any issues, rather than handling inbound from multiple data protection agencies (potentially in different languages). Ireland has a lead supervisor role for Twitter because the company was able to notify its Dublin office as its “main establishment” in the EU — what the regulation refers to as either the place of “central administration in the Union” or “where the main processing activities take place in the Union”. However were Twitter to be deemed to no longer have this processing base in Ireland there would be an immediate regulatory reconfiguration and data protection authorities across the bloc, from any of the EU’s 27 Member States, could instigate inquiries or act on local complaints themselves — cranking up the regulatory complexity, velocity and risk for Twitter’s European business. With Musk slashing 50% of Twitter’s headcount globally just last week — and a reported “carnage” in the Irish office, per an Irish Times report which said more than 50% of local staff were affected — questions have arisen in Dublin over the stability of its main establishment status for the GDPR. “We’ve made contact with Twitter.. And for us one of the issues we want to discuss with them is the issue of main establishment — is there any change? With the announcement of the departures — including the DPO — is there any plans to change the decision making process that’s in place that allows them to avail of the main establishment,” Doyle reiterated. Reports that all was not well up at the senior echelons of Twitter’s security and privacy function spilled out onto Twitter yesterday afternoon. Platformer journalists, Casey Newton and Zoë Schiffer, reported that Twitter’s CISO, chief privacy officer and chief compliance officer has all resigned — citing messages shared in Twitter Slack which they had obtained. Soon afterwards, the Washington Post’s Cat Zakrzewski tweeted that the Irish DPC was “seeking more information” from Twitter. According to messages shared in Twitter Slack, Twitter’s CISO, chief privacy office, and chief compliance officer all resigned last night. An employee says it will be up to engineers to “self-certify compliance with FTC requirements and other laws.” — Casey Newton (@CaseyNewton) November 10, 2022 NEW: A senior member of Twitter’s legal team just posted this message in Slack:“Everyone should know that our CISO, Chief Privacy Officer and Chief Compliance Officer ALL resigned last night. This news will be buried in the return-to-office drama. I believe that is intentional.” — Zoë Schiffer (@ZoeSchiffer) November 10, 2022 Twitter CISO Lea Kissner later confirmed her departure in a tweet — as did Damien Kieran, Twitter’s now ex chief privacy officer.  While Marianne Fogarty, Twitter’s (reportedly ex) chief compliance officer, tweeted what may be an indirect confirmation too late yesterday — writing: “Therapy Thursdays have taken on new meaning of late. #LoveTwitter”. Enquiries to Twitter’s press line have gone unanswered since Musk took over so it’s not been possible to obtain an official line on what’s going on. The company’s communications department appears to have been a major casualty of the 50% headcount reduction Musk swiftly applied on taking over — with press staffers either entirely or almost entirely laid off. It also not clear how many of Twitter’s staff in Ireland were laid off last week. There is no obligation on the company to report overall layoffs numbers to the DPC. Nor is the criteria a regulator should use for assessing main establishment clear as it is not stipulated in the GDPR itself — but rather left up to regulators to determine. (On determining main establishment, the regulation states: “The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” — further stipulating that “criterion should not

Ireland-led GDPR probe of Yahoo’s cookie banners moves to draft decision review • ZebethMedia

A multi-year investigation into ZebethMedia’s parent entity Yahoo — looking at compliance with key transparency requirements of the European Union’s General Data Protection Regulation (GDPR), including in relation to cookie banners displayed on its media properties — has taken a step forward today after Ireland’s Data Protection Commission (DPC) announced that it has submitted a draft decision to other EU data protection agencies for review. In a statement on the development, deputy commissioner Graham Doyle said: “On October 27, 2022, the DPC submitted a draft decision in an inquiry into Yahoo! EMEA Limited to other Concerned Supervisory Authorities across the EU. The inquiry examined the company’s compliance with the requirements to provide transparent information to data subjects under the provisions of the GDPR. Under the Article 60 GDPR process, Concerned Supervisory Authorities have until 24 November, 2022 to send any ‘relevant and reasoned objections’ to the DPC’s draft decision.” Following its usual procedure, the DPC has not released any details on the substance of its draft decision. In any case, the outcome is not final until other interested DPAs have weighed in — so nothing has been concluded yet. The inquiry concerns Yahoo’s processing of European users’ data and is focused on its compliance with Articles 5(1)(a), 12, 13 and 14 of the GDPR — so the DPAs will be considering whether Yahoo’s business has been meeting GDPR requirements for personal data processing to be lawful, fair and transparent; and also whether it’s been properly communicating to users how their data is being processed. If other DPAs agree with Ireland’s draft a final decision could be issued fairly soon — maybe even in a couple of months. However if objections are raised the process may need to go through a dispute resolution mechanism in the GDPR — which could spin things out for many more months. (A draft decision on Instagram’s processing of kids’ data went to Article 60 in December 2021 but a final decision (and hefty fine in that case) took until September 2022 to land after other DPAs raised objections to Ireland’s draft, for example.) The DPC’s investigation into Yahoo kicked off in August, 2019, when the entity was known as Verizon Media (neé Oath) and owed by US carrier Verizon. The latter went on to sell the division, in May 2021, to private equity giant, Apollo Global Management — which plumped for a retro rebranding (to Yahoo). So it’s the PE giant that’s been left holding the regulatory exposure here. Speaking to the Irish Independent back in 2019, the DPC’s commissioner, Helen Dixon, said the investigation focused on transparency issues related to publications operated by the company and was opened in response to multiple complaints from individuals about Yahoo media sites — including over cookie banners she said sometimes “effectively” offer no choice to users — beyond an ‘option’ to click “okay”.  Yahoo owns a string of Yahoo-branded media properties, including Yahoo News, Yahoo Finance, Yahoo Sports etc, tech media sites like Engadget (and this Internet website) — as well as, at the time the DPC opened its probe, the HuffPo and tumblr — which the company linked to its online advertising business via the use of tracking cookies dropped on visitors’ devices. Hence these cookie consent banners popping up with information about ad ‘partners’ and purposes for processing. Thing is, under the GDPR, in order for consent to be a valid legal basis to process people’s data it must be informed, specific and freely given — so a cookie banner that lacks an option for users to deny ad tracking is going to attract complaints that it is not offering the required free choice. Verizon Media does appear to have made a notable change to the design of its cookie banner (circa spring 2021) — so subsequent to the DPC opening its investigation — which tweaked the implementation of the consent flow to include a reject button. A current version of a Yahoo cookie banner (shown below being displayed on a Yahoo website) can be seen including two ‘reject all’ options: Screengrab: Natasha Lomas/ZebethMedia On the less positive side, this cookie banner tries to claim a “legitimate interest” (i.e. non-consent based) ground for processing people’s data for ad targeting (and defaults those toggles to ‘on’) — but you can at least deny this by selecting “reject all” under the LI field. The current Yahoo cookie banner implementation — at least on the version we saw — also relegates the reject button to the second level of the menu — rather than displaying it at the top level, alongside the “accept all” option displayed there. This means users have to click through “manage settings” before they can even see a reject all option (while this second level menu is long and requires scrolling) — so the tweaked design may raise fresh objections from regulators since it does not offer an equally easy way to reject tracking as allow it. Still, it remains to be seen what the EU DPAs will decide on the Yahoo complaint as a whole. Since the complaint predates this implementation of the cookie banner the inquiry may not consider the current design as closely as looking at the old one which netted Yahoo all these complaints. (Although DPAs could also take it into consideration in any order to the company to amend the design of the banner in a final decision.) One thing is clear: Cookie consents for ad tracking are getting increasing attention from EU regulators. Early this year, France’s CNIL hit Google and Facebook with substantial fines related to dark patterns on cookie banners (under the ePrivacy Directive, which — unlike the GDPR — does not require cross-border complaints to be funnelled to a lead DPA, as has happened here with the Yahoo complaint). A few months later Google updated its cookie banner in Europe to include a top-level reject all button. Last year, the UK’s data protection watchdog also published an opinion urging the ad tracking industry to prepare

TikTok privacy update in Europe confirms China staff access to data as GDPR probe continues • ZebethMedia

An incoming privacy policy change announced by TikTok yesterday for users in Europe — which, for the first time, names China as one of several third countries where user data can be remotely accessed by “certain” company employees to perform what it claims are “important” functions — has landed months ahead of expected movement on a year+ long investigation into the platform’s data exports to China under the bloc’s General Data Protection Regulation (GDPR). The GDPR probe into the legality of the video sharing platform’s data transfers to China is being led by Ireland’s Data Protection Commission (DPC), TikTok’s lead privacy regulator in the region, which opened the inquiry just over a year ago. The DPC told ZebethMedia today that it expects its TikTok data transfers inquiry to progress to the next stage in the coming months — with a draft decision slated to be sent to other EU DPAs for review in the first quarter of next year. This ‘Article 60’ review process could lead either to an affirming of Ireland’s draft decision — which would then, in relatively short order, allow for a final decision to be issued (potentially before the middle of next year, judging by past inquiry timelines). However if other EU regulators raise objections to Ireland’s draft decision the inquiry would have to move to an ‘Article 65’ dispute resolution process — which could add many more months to the process before a final decision could be issued as the bloc’s regulators seek consensus. It’s not clear whether TikTok’s announcement of the privacy policy tweak relates to this overarching GDPR investigation. The incoming changes — which are due to apply from December 2 — do also include an update on how the platform collects users location information so they are not wholly focused on data transfers. But the disclosure of China staffers accessing European user data could also be a not-very-subtle attempt to pre-empt regulatory enforcement over its data transfers — and try to soften a future blow by being able to point to steps already taken to improve its transparency with European users. (Not that that is the only potential issue of regulatory concern vis-a-vis data exports, though.) A spokesman for TikTok declined to comment on whether its updated privacy policy is in any way linked to the GDPR inquiry — saying it could not do so as the inquiry remains ongoing. However in a blog post announcing the update, the company claimed the changes “include greater transparency into how we share user information outside of Europe”. That’s notable because transparency is a key principle of the GDPR — while infringements of the transparency principle can lead to stiff penalties (such as the $267M fine for Meta-owned WhatsApp last year, after an Ireland-led inquiry found a string of transparency breaches). Claiming you’re being transparent and actually being transparent are not necessarily the same thing, of course. So it’s worth noting that TikTok’s updated privacy policy appears to atomize key bits of information — such as the full list of third countries countries where employees may remotely access European users’ data and for what specific reasons — across a number of collapsable menus and hyperlinks spread throughout the policy, thereby requiring a user to click around, follow multiple links and basically hunt for relevant intel amid a larger morass of data in order to piece together a comprehensive view of what’s happening with their data (rather than clearly articulating and collating everything into a single, easy to digest view…). So, if it’s transparency TikTok is really shooting for here it still looks like it has work to do. Also still a work in progress for TikTok: A data localization project to store European users’ data in the region — which, earlier this year, it announced had been delayed again (until 2023). Thing is, if TikTok intends to continue to allow employees located in third countries with no EU adequacy agreement affirming they have essentially equivalent data protection standards as the bloc to have remote access to European users’ information then questions over the legality of its international data transfers are likely to persist. As well as China, TikTok’s privacy policy names Brazil, Malaysia, Philippines, Singapore, and the US (which has only a preliminary agreement with the EU for a fresh data transfer agreement atm) as countries where employees have remote access to European user data without the cover of an adequacy agreement — saying it’s relying on standard contractual clauses (SCCs) for these transfers. But, as the EDPB guidance on data transfers points out, each transfer to a third country must be individually assessed and some may not be possible legally, even with supplementary measures applied. So every single one of these transfers will need to stand up to regulatory scrutiny. Given so many third country transfers, TikTok’s European data localization project can only — at least for now — be considered a PR exercise. And/or an attempt to curry favor with local regulators in the hopes they take a kinder view of ongoing data exports. Unless or until it ceases data exports to third countries and finds a way to fully firewall its parent entity in China from being able to access any European users’ data in the clear. TikTok’s spokesman declined to comment on any future plans it may have to further adapt its data transfers in light of these challenges but he pointed back to its blog post — which describes its approach to data governance in Europe as being “centred on limiting the number of employees with access to European user data, minimising data flows outside of the region, and storing European user data locally”. TikTok’s wider problem is that it’s facing dialled up regulatory scrutiny across the Western world more generally as a result of security concerns attached to the Chinese state’s ability to gain access to data commercial platforms/services hold on their users — with national security laws in its home country overriding the usual standard contractual protections. Its platform

France fines Clearview AI maximum possible for GDPR breaches • ZebethMedia

Clearview AI, the controversial facial recognition firm that scrapes selfies and other personal data off the Internet without consent to feed an AI-powered identity-matching service it sells to law enforcement and others, has been hit with another fine in Europe. This one comes after it failed to respond to an order last year from the CNIL, France’s privacy watchdog, to stop its unlawful processing of French citizens’ information and delete their data. Clearview responded to that order by, well, ghosting the regulator — thereby adding a third GDPR breach (non-cooperation with the regulator) to its earlier tally. Here’s the CNIL’s summary of Clearview’s breaches: Unlawful processing of personal data (breach of Article 6 of the GDPR) Individuals’ rights not respected (Articles 12, 15 and 17 of the GDPR) Lack of cooperation with the CNIL (Article 31 of the RGPD) “Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice,” the CNIL wrote in a press release today announcing the sanction [emphasis its]. “The chair of the CNIL therefore decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR [General Data Protection Regulation].” The EU’s GDPR allows for penalties of up to 4% of a firm’s worldwide annual revenue for the most serious infringements — or €20M, whichever is higher. But the CNIL’s press release makes clear it’s imposing the maximum amount it possibly can here. Whether France will see a penny of this money from Clearview remains an open question, however. The US-based privacy-stripper has been issued with a slew of penalties by other data protection agencies across Europe in recent months, including €20M fines from Italy and Greece; and a smaller UK penalty. But it’s not clear it’s handed over any money to any of these authorities — and they have limited resources (and legal means) to try to pursue Clearview for payment outside their own borders. So the GDPR penalties look mostly like a warning to stay away from Europe. Clearview’s PR agency, LakPR Group, sent us this statement following the CNIL’s sanction — which it attributed to CEO Hoan Ton-That: “There is no way to determine if a person has French citizenship, purely from a public photo from the internet, and therefore it is impossible to delete data from French residents. Clearview AI only collects publicly available information from the internet, just like any other search engine like Google, Bing or DuckDuckGo.” The statement goes on to reiterate earlier claims by Clearview that it does not have a place of business in France or in the EU, nor undertake any activities that would “otherwise mean it is subject to the GDPR”, as it puts it — adding: “Clearview AI’s database of publicly available images is lawfully collected, just like any other search engine like Google.” (NB: On paper the GDPR has extraterritorial reach so its former arguments are meaningless, while its claim it’s not doing anything that would make it subject to the GDPR looks absurd given its amassed a database of over 20 billion images worldwide and Europe is, er, part of Planet Earth… ) Ton-That’s statement also repeats a much-trotted out claim in Clearview’s public statements responding to the flow of regulatory sanctions its business attracts that it created its facial recognition tech with “the purpose of helping to make communities safer and assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts” — not to cash in by unlawfully exploiting people’s privacy — not that, in any case, having a ‘pure’ motive would make any difference to its requirement, under European law, to have a valid legal basis to process people’s data in the first place. “We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in France, where we do no business, of Clearview AI’s technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives,” concludes Clearview’s PR. Each time it has received a sanction from an international regulator it’s done the same thing: Denying it has committed any breach and refuted the foreign body has any jurisdiction over its business — so its strategy for dealing with its own data processing lawlessness appears to be simple non-cooperation with regulators outside the US. Obviously this only works if you plan for your execs/senior personnel to never set foot in the territories where your business is under sanction and abandon any notion of selling the sanctioned service to overseas customers. (Last year Sweden’s data protection watchdog also fined a local police authority for unlawful use of Clearview — so European regulators can act to clamp down on any local demand too, if required.) On home turf, Clearview has finally had to face up to some legal red lines recently. Earlier this year it agreed to settle a lawsuit that had accused it of running afoul of an Illinois law banning the use of individuals’ biometric data without consent. The settlement included Clearview agreeing to some limits on its ability to sell its software to most US companies but it still trumpeted the outcome as a “huge win” — claiming it would be able to circumvent the ruling by selling its algorithm (rather than access to its database) — to private companies in the U.S. The need to empower regulators so they can order the deletion (or market withdrawal) of algorithms trained on unlawfully processed data does look like an important upgrade to their toolboxes if we’re to avoid an AI-fuelled dystopia. And it just so happens that the EU’s

Subscribe to Zebeth Media Solutions

You may contact us by filling in this form any time you need professional support or have any questions. You can also fill in the form to leave your comments or feedback.

We respect your privacy.
business and solar energy