The Information Commissioner’s Office (ICO) has announced it will fine facial recognition company Clearview AI over £7.5 million. In addition, the ICO said it would order the firm to delete all data it holds on UK residents. The ICO conducted its investigation into Clearview in conjunction with the Office of the Australian Information Commissioner (OAIC).
The decision comes after France’s data privacy watchdog, CNIL, ordered Clearview AI to stop collecting and using data in the country in December 2021.
What led to Clearview AI’s fine?
According to the ICO, Clearview has built a database of over 20 billion images of people’s faces and data from publicly available sources like social media platforms. The company provides a service allowing customers, including police forces, to upload images to its app, which then checks for matches against all the images in the Clearview database. Clearview then provides the user with all the photos in its database that have similar characteristics to the one uploaded and links to their source.
The ICO believes that Clearview’s database is likely to include substantial volumes of data from UK residents gathered without their knowledge or permission. While Clearview no longer offers its services to UK organisations, the company is still using UK residents’ data within its services to international clients.
ICO outlines its reasoning
In publishing its findings of the Clearview case, John Edwards from the ICO said: “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.
“People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.
“This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. And it means working with regulators in Europe, which is why I am meeting them in Brussels this week so we can collaborate to tackle global privacy harms.”
Further details available on Clearview’s contraventions
Due to the joint nature of this case and investigation, it was conducted in accordance with both the UK Data Protection Act 2018 and the Australian Privacy Act.
The ICO said Clearview was guilty of the following specific contraventions of the UK Data Protection Act:
- Failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way
- Failing to have a lawful reason for collecting people’s information
- Failing to have a process in place to stop the data being retained indefinitely
- Failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR)
- Asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.
Are you entitled to compensation?
If you’ve experienced problems in getting Clearview AI to share or delete the data it holds about you, you could be entitled to compensation.
Contact LawPlus to tell us about your experience of dealing with Clearview, and get a free, no-obligation assessment of your potential data breach claim.