Clearview AI insists it does not have a presence in the European Union and is therefore not subject to the General Data Protection Regulation (GDPR). The bloc’s individual data privacy regulators believe otherwise.

France’s CNIL became the fourth European data protection authority (DPA) this year to fine U.S.-based Clearview AI over its controversial facial image aggregation practices. The agency’s penalty against the company of 20 million euros (U.S. $19.6 million) announced Thursday matches the Hellenic and Italian DPA before it, while the U.K. Information Commissioner’s Office’s fine of more than 7.5 million pounds (then-U.S. $9.4 million) in May carried a lighter touch.

The Hellenic and Italian enforcement actions were handed down in July and February, respectively.

France was one of the first EU countries to publicly target Clearview AI when its DPA ordered the company in November 2021 to cease the collection and use of data of persons in French territory or risk being fined. The company never responded to this notice, according to the CNIL, prompting the regulator to refer the case to its sanctions committee.

The committee’s penalty is the maximum it could impose in the case, in accordance with Article 83 of the GDPR.

Clearview AI’s app allows users to upload an image of an individual’s face and match it to photos of that person’s face collected from the internet. It then links to where the photos appeared. The system includes a database of more than 20 billion images Clearview AI claims to have taken from various social media platforms and other websites where the information is publicly available.

The EU DPAs contend images belonging to their residents are among that database and accessible to customers in other countries. Therefore, their personal data is being collected and sold without their knowledge or consent.

The CNIL ruled Clearview AI violated Article 6 of the GDPR through its unlawful processing of French citizens’ data. The company was further criticized for difficulties encountered by French complainants exercising their rights of access and erasure, as the company “provides partial responses or does not respond at all to requests,” according to the regulator. These actions violated Articles 12, 15, and 17 of the GDPR.

Finally, the CNIL cited violations of Article 31 of the GDPR regarding Clearview AI’s lack of cooperation in the case.

The DPA, similar to its EU counterparts, ordered Clearview AI to stop the collection of personal data from data subjects in France and required it to delete any data it already collected from the country’s residents. The company was given two months to comply, or it will be fined an additional €100,000 (U.S. $98,000) per day of delay.

Clearview AI did not respond to a request for comment, though it has previously stated it does not have any place of business or customers in the European Union in response to its other penalties.