"However, the GDPR prohibits the processing of data belonging to EU citizens regardless of whether an organization does any business on the continent. ®"
Countries or blocks can make whatever laws they want, that doesn't mean they're enforceable outside their boarders. If Clearview's statement about not doing business in the EU is accurate, the CNIL's ability to enforce it is down to finding a sympathetic judge in the U.S who is willing to enforce it...which seems unlikely.