The overdue penalty payment of €5.2 million has been issued by the French regulator, the CNIL — on top of a €20 million sanction it slapped the company with last year for breaching regional privacy rules. Clearview refuses payment as it “is not subject to the GDPR [General Data Protection Regulation]”, the company argues. However, the GDPR applies to the personal data of EU citizens, so Clearview would need to have never scraped locals’ selfies off the Internet for the bloc’s data protection law not to apply, and it does not say it has never processed Europeans’ data.