The UK’s Information Commissioner’s Office (ICO) has fined facial recognition database firm Clearview AI £7.5m for breaching UK data protection rules.
This represents a huge reduction on the £17m fine the ICO initially said it planned to issue US-based Clearview AI in November 2021. This followed a joint investigation conducted in accordance with the Australian Privacy Act and the UK Data Protection Act 2018.
The company has been penalized for creating an online database by collecting over 20 billion images of people’s faces and data from publicly available information sources on the internet and social media. It failed to inform any of these individuals that their images were being collected or used in this way.
In addition to the fine, the ICO has issued an enforcement notice ordering Clearview AI to stop obtaining and using the personal data of UK residents that is publicly available on the internet. It must also delete existing data of UK residents from its systems.
The company pitches its web-based intelligence platform, powered by facial recognition technology, as a tool that helps law enforcement “generate high-quality investigative leads.”
Users can upload an image of a suspect’s face and search for matching images that appear online.
The UK’s data protection regulator stated that Clearview AI breached UK data protection rules in the following ways:
- Failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way
- Failing to have a lawful reason for collecting people’s information
- Failing to have a process in place to stop the data from being retained indefinitely
- Failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under GDPR and UK GDPR)
- Asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.
John Edwards, UK Information Commissioner, explained: “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables the identification of those people, but effectively monitors their behavior and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.
“People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.
“This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. And it means working with regulators in Europe, which is why I am meeting them in Brussels this week so we can collaborate to tackle global privacy harms.”
Expressing his disappointment with the ICO’s decision, Clearview AI’s CEO, Hoan Ton-That, stated: “I created the consequential facial recognition technology known the world over.
“My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts.”
He added: “We collect only public data from the open internet and comply with all standards of privacy and law. I am disheartened by the misinterpretation of Clearview AI’s technology to society. I would welcome the opportunity to engage in conversation with leaders and lawmakers so the true value of this technology which has proven so essential to law enforcement can continue to make communities safe.”
In December 2021, France’s data protection regulator ordered Clearview AI to stop illegally processing images.
Commenting on the ICO’s decision to reduce Clearview AI’s fine, Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, said: “Following the pattern of its previous blockbuster fines, the ICO has also taken a steep reduction on the final penalty amount issued to Clearview, from £17 million to £7.5 million. That approach was a hallmark of the previous commissioner, who announced the initial Clearview fine, so it will be interesting to see whether John Edwards takes a different tact when calculating penalties under his own name.”
“The biggest challenge for the ICO will be how its decision is applied, given that Clearview claims not to operate in the UK. There has been very little enforcement of the GDPR against businesses that have no European operations, so this could well prove to be another case where a foreign company is found liable in absentia.”