I requested my data back in March 2020 when they were on HN, never got an answer.
They wanted me to upload a photo ID to verify my identity and I was stupid enough to comply.
One commenter said:
This is a case of 'never click "opt-out" on spam'. Clearview is not to be trusted. One should not go through their process. They are not likely to delete the data, and if they have none, they are likely to create a profile for you.
Your comment is extremely point on, yet was dead, so I vouched for it.
I think you perfectly highlight the difficulty of the current opt-out process.
I do not know how it should be done without revealing more information, except maybe by using an attorney that would have the legal power to act in your name while only revealing his information, and not yours.
There are ways. How about: arrest ClearView top brass on their next visit to Europe? Remember the Huawei heir who got sent to jail on a trip to Canada. Do the ClearView head honchos really want to be confined to travelling within the US? So while it might be difficult to go after ClearView in the US, France (and the rest of the EU, the UK, Canada, Australia) would become no-go zones for ClearView staff. Not to mention that these countries could also seize assets owned by ClearView leadership, as long as these are within their jurisdiction. In an interconnected world, it is exceedingly difficult to avoid such scenario.
The question is rather: would the US step up and put pressure on the French if events would unfold in this way?
If the company doesn't do business in the EU (i.e. has no EU customers), there are still some things that can be done. Maybe target suppliers to Clearview? The cloud providers are obvious targets. Put out arrest orders for Clearview employees? Maybe try to have the US govt enforce it?
How does GDPR allow a foreign entity to punish or fine a company based entirely in the USA? I am genuinely curious, I have wondered this for ages. Every resource I have looked at says that as a US business I need to comply with GDPR, and that I can face fines if I don't. But I have never seen the mechanisms in which those fines can be enforced. Is the US government enforcing those fines?
If you do business in the EU, you likely have money there. Might be hard for a company that isn’t international to be fined though. However, California has privacy laws now and could fine a US company.
> Clearview AI does not have a place of business in France or the EU, it does not have any customers in France or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR.
> To be clear, Clearview AI has not violated any law nor has it interfered with the privacy of Australians. Clearview AI does not do business in Australia, does not have any Australian users.
> The UK ICO Commissioner’s assertions are factually and legally incorrect. The company is considering an appeal and further action. Clearview AI provides publicly available information from the internet to law enforcement agencies. To be clear, Clearview AI does not do business in the UK, and does not have any UK customers at this time.
> Clearview AI’s technology is not available in Canada and it does not operate in Canada.
This time, and the last three times, Clearview have made the same legal argument. That because they have no physical basis in a country, and because their customers aren't in that country (though several times that has occurred post-breach), they cannot possibly have breached that country's laws.
Despite the privacy laws of every nation being around the _citizen_, not their physical location. All four places have extraterritoriality baked into their privacy laws, and all four have trade agreements with the US in place that could mean that they could ask the US to enforce compliance and make it into a diplomatic issue.
How many more times do their lawyers have to be told the same thing before they try and come up with a new argument?
I'm guessing EU has enough power to pull such a minor thing through without issues.
Just raising tarrifs on some US made stuff, until this is resolved, will make many larger and stronger companies phone the US administration directly and make a deal.
Enforcing foreign judgements of those lacking jurisdiction is a tall order and certainly not minor. The precedent alone means a forceful approach may get them refusing from sheer spite. Politically it would be suicidal to be seen as weak.
As for how well tarrifs worked, see the story of the Chicken Tax and light trucks.
Meh... diplomacy is diplomacy... germans threathen the russians with an embargo, russians close down the gas pipes, they make a deal, and it's business as usual. Same thing is happening (although with less media coverage) between many countries daily.
How many more times do these bodies need to pass "orders" that don't result in any action before they come up with a new approach?
The US does not have GDPR. Period. Flat out. Full stop. Once you understand that, things will make a lot more sense.
And no, extraterritoriality means absolute zero here. That french citizen traveling in America? Heads up, US Customs does not have to respect to GDPR. Neither does the walmart he shops at. Neither does Amazon if he orders something online.
Claiming they do is weird, that's not how it works.
Before we are snarking about clearview having to come up with new arguments, let's evaluate how well their current arguments are working?
Pretty darn well.
And my guess is the US government, rather than shutting them down, will PAY them to do their stuff, ESPECIALLY on overseas nationals. This is exactly the type of big government "anti terrorism" surveillance style databases govts love.
> Heads up, US Customs does not have to respect to GDPR.
Customs is part of a sovereign nation. What customs can and can't do has precious little bearing on what companies can and can't do. It's basically irrelevant.
> Neither does the walmart he shops at. Neither does Amazon if he orders something online.
Sure, if both are OK with not being able to operate in the EU _and_ believe the US government will take the political heat for refusing to enforce the EUs laws.
We also don't strictly _have_ to extradite criminals to other countries. But we usually do.
International law functions nothing like domestic law, because there is no higher power to say "no, you can't do that". If the EU can get the US to punish US companies through diplomacy, force or trades, then that's how things work. If they can't, then it's not how things work.
My guess is that the US won't shield them. It's not critical for US defense, largely redundant with data available from Facebook, and we're already fighting to keep our existing tech giants abroad. Clearview is more useful as a sacrificial pawn than trying to get it crowned a queen.
The political heat for refusing to enforce EU laws? Is this a serious claim?
American's by and large don't want others laws enforced here. Not China's, not middle eastern laws, and they fought a war of independence against having European laws apply in the US (ie, the US killed folks over this).
A current political issue is partly the US enforcement of its laws overseas, which has rubbed many countries the wrong way. Because of the significance of the US in the current financial system the US has exercised really outsized power internationally.
> We also don't strictly _have_ to extradite criminals to other countries. But we usually do.
As far as I know a country won’t extradite one of their citizens for something that isn’t illegal in their home country.
Or extradite for something that is legal in the country else we’d be seeing a bunch of Saudi expat women getting extradited for gasp driving a car or something.
Thailand was mulling over extraditing Nur Sajat, a Malaysian trans woman, on charges of blasphemy for "cross-dressing," a crime implicitly defined in its Sharia court system. I'm not sure where happened in her case, but the very fact Thailand didn't reject Malaysia's request immediately suggests people are extradited even when the charges wouldn't apply in the extraditing country.
I'm curious, do you also think it's wrong when the US applies its own laws worldwide where they concern its citizens (e.g. FATCA, Hague Invasion Act.)?
Even Draco knew that making unenforceable laws just breeds contempt for the law. Regardless of the answer to that question it still is a poor decision which makes them look like a tinpot dictatorship trying overseas critics in absentia.
I warned people about this garbage when GDPR came out and was shouted down for it. It's the same as the fucking copyright laws we're all burdened with.
What did you try to warn them about? That they will have more control over how companies use their PI? Doesn't seem very surprising that you got "shouted" down.
Let's say Clearview says they are deleting the data. How could France make sure the data is actually deleted? Is it possible without perusing Clearview's source code and accessing its servers?
They'd also have to be able to identify pictures of French people. Perhaps a large US-based corporation could help them developing a tool to do it? They'd need lots of examples first.
Clearview AI is one of the main arguments I have used to convince many friends and family to stop posting face pictures to the web, especially of children who cannot consent.
The social web is definetly a poorer experience without pictures, but this is the way our capitalist masters have decided to destroy our commons.
> Clearview sought to suggest the company is not subject to the GDPR — although the regulation is extraterritorial in scope, meaning it is applicable and (at least in theory) enforceable outside the EU’s borders in instances when EU people’s data has been processed in violation of the rules.
GDPR applies also outside of the EU? who exactly thought this one up? how can the EU possibly think it can enforce this and does the EU think europeans should be subject some special rules when in a foreign country?
They wanted me to upload a photo ID to verify my identity and I was stupid enough to comply.
One commenter said:
I should have listened, lesson learned.