French and British Data Authorities’ Latest Actions Are an Unjust Regulatory Overreach Against America

CNIL, the French Data Protection Authority, recently ordered Clearview AI, a U.S. company that offers law enforcement a “search engine for faces,” to delete all of its data about French data subjects. This comes a few weeks after the UK’s Information Commissioner’s Office fined the company $22.6 million for allegedly violating its data protection laws and similarly ordered it to delete the data of people in Britain. These rulings represent an unprecedented extraterritorial overreach by European regulators that does nothing to protect consumer privacy, threatens public safety in America, and undermines the goals of free speech and an open Internet.

First, these orders are a clear reminder that Europe’s privacy law, the General Data Protection Regulation (GDPR), is not a law about privacy (i.e., protecting one’s private life, family life, home, and correspondence from being observed by others) but one about data protection (i.e., imposing obligations on entities that process data). In this case, the company Clearview searches photos available on the public Internet. As a general matter, individuals have no reasonable expectation of privacy for photographs lawfully published on the Internet that any Internet user in any country could access. People in any country could download copies of the photos because they are public. Yet CNIL’s core objection is that Clearview has violated the GDPR because it has processed this personal data without a legal basis (such as user consent). Indeed, the order emphasizes that under the GDPR, data processors still need a legal basis for processing public data. Therefore, nothing in these orders would protect consumer privacy since these orders only deal with publicly available information.

Second, these orders would have grave implications for safety in the United States. Both France’s and the UK’s orders instruct Clearview to delete all information they hold about their French and British data subjects, respectively. Unless these two countries provide a database of photos of their citizens, there is no viable way for Clearview to meet this requirement. After all, the company is searching photos from the public Internet—it has no way to determine the nationality of the individuals in the photos. As a result, the company has few options to comply with the order beyond not processing any data.

If it were to follow through with this request, the result would be that no country anywhere in the world would be able to make use of Clearview’s service. Not only could U.S. law enforcement agencies not use the tool to locate a British or French national who comes to the United States and commits a crime that is recorded on camera, but if the company must delete all of its data to comply with these orders, the tool would be rendered useless for everyone. Therefore, demanding that Clearview stop processing data about their data subjects is not a reasonable or proportionate response. If France and the UK are concerned about the implications of law enforcement using this tool, a better option is to simply not use it.

Finally, these orders represent a critical blow to both free speech and a free and open Internet because they directly implicate what individuals and businesses can do with legal personal data they download from the Internet. For example, other search engines and web proxies may also store or processes images of Europeans from the Internet—there is no reason that a European regulator might not take action against one of these businesses in the future. Similarly, coding has long been recognized as a form of speech, and data protection authorities can treat individuals as data controllers—so this ruling would suggest that European regulators believe it would be within their authority, for example, to prohibit an American from executing code on their personal computer that would process publicly available photos from the Internet about Europeans. Or perhaps European regulators would like to prohibit Americans from retweeting photos European users share of themselves on social media. None of these outcomes would advance the idea, often espoused by European and American policymakers alike, that countries should promote a mostly open Internet—giving users the freedom to connect, speak, innovate, and share content with few restrictions.

The primary problem with both of these orders is that they do not consider the extraterritorial impact of their decisions. As ITIF has written before in its report “Beyond Internet Universalism: A Framework for Addressing Cross-Border Internet Policy,” countries will often have different policy objectives, so they should not act unilaterally to impose policies that directly affect individuals or organizations outside their country. Instead, they should either pursue policies that minimize their impact outside their domestic jurisdiction or work to build international consensus on these issues through multilateral forums.

Rather than acting unilaterally, the UK and France could have raised these concerns in existing forums such as the EU-US Trade and Technology Council or as part of the revitalized Atlantic Charter. But since these countries have acted without regard to the impact on the United States, U.S policymakers should respond. After all, while Clearview disputes the legality of both of these orders and will likely appeal them, the orders themselves put the company at existential risk. For example, the UK fine alone amounts to 60 percent of the total funds it has raised from investors. Moreover, the company will likely face similar actions from data protection officials in other European countries in the coming months, a pressure that would be challenging for any startup to handle. Therefore, while the company will likely appeal these orders, it should do so with explicit and forthright political support from the U.S. government designed to defend U.S. companies from unfair extraterritorial enforcement actions, protect public safety, and preserve Internet freedoms.