Clearview AI, the New York-based facial recognition firm that is targeting 100 billion facial images in its database by the close of 2022, has been fined €20 million ($19.7 million) by France’s data protection authority, the CNIL, for what the agency says is the illegal collection and processing of personal biometric data belonging to French citizens. The fine comes after the CNIL last year ordered Clearview to cease data collection and delete its existing database, instructions the company reportedly ignored. This is Clearview’s third breach of the EU General Data Protection Regulation (GDPR) pertaining to France.

“Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them,” the CNIL explained in a press release indicating that Clearview has thus far been non-responsive, writing: “It did not provide any response to this formal notice.”

The CNIL chair therefore “decided to refer the matter to the restricted committee, which is in charge for issuing sanctions. On the basis of the information brought to its attention, the restricted committee decided to impose a maximum financial penalty of 20 million euros, according to article 83 of the GDPR.”

The GDPR permits penalties up to the greater of 4 percent of a company’s annual worldwide revenue or €20 million.

The CNIL’s press release “makes clear it’s imposing the maximum amount it possibly can here,” writes TechCrunch, adding it is unclear if France will ever be able to collect, since Clearview has been racking up fines from “other data protection agencies across Europe in recent months, including €20M fines from Italy and Greece; and a smaller UK penalty, but there is no public record of payment, and the authorities “have limited resources (and legal means) to try to pursue Clearview for payment outside their own borders.”

That makes the latest GDPR penalties “look mostly like a warning to stay away from Europe,” TechCrunch says.

A representative for Clearview issued a statement to TechCrunch claiming “there is no way to determine if a person has French citizenship, purely from a public photo from the Internet, and therefore it is impossible to delete data from French residents,” while arguing that it is not subject to the GDPR’s jurisdiction.

It further emphasized that “Clearview AI’s database of publicly available images is lawfully collected, just like any other search engine like Google,” TechCrunch reports. This free speech defense has been Clearview’s go-to rebuttal as it fends off attacks from around the globe. In May it settled a privacy lawsuit brought by the ACLU in Illinois.

Clearview AI not only collects images, but “sells access to this database to various operators of facial recognition systems, some of them used by law enforcement authorities and private entities worldwide,” writes Bleeping Computer, explaining that “in Europe, the GDPR dictates that any data collection needs to be clearly communicated to the people and requires consent.”