Facial recognition: Clearview AI fined more than £7.5m by the ICO

Clearview AI – Facial recognition

Clearview AI has gained a lot of controversial press since the New York Times exposé in 2021[1]. It is an American facial recognition business which describes itself as the “World’s largest facial network”[2], and has been used by law enforcement bodies in the US and in the UK to assist with criminal prosecutions. Globally, Clearview AI has stored more than “20 billion faces”[3] which are scraped from Facebook, Instagram and other platforms.

Recent decisions by the EU Data Protection Authorities (“DPA”)

In December 2021, the French DPA (CNIL) ordered Clearview AI "to stop unlawfully collecting and processing the personal data of data subjects on the French territory”.

The Italian DPA (the Garante) went one step further in March 2022 and fined Clearview AI €20 million for the unlawful processing of biometric and geolocation data and ordered Clearview AI to prohibit any collection and processing activities in Italy. Interestingly, Clearview AI has challenged this decision with jurisdictional arguments.

A similar decision is also expected by the Austrian DPA soon.

The ICO’s decision

Alongside the ICO’s monetary penalty notice to Clearview AI for £7,552,800, they have issued an enforcement notice, “ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems”. The ICO found that Clearview AI Inc breached UK data protection laws by:

• “failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way”;
• “failing to have a lawful reason for collecting people’s information”;
• “failing to have a process in place to stop the data being retained indefinitely”;
• “failing to meet the higher data protection standards required for biometric data”; and
• “asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.”

The joint investigation was conducted in accordance with the Australian Privacy Act and the UK Data Protection Act 2018.

Next steps and implications

We await the release of the ICO’s Enforcement Notice and Monetary Penalty Notice to understand in further detail the ICO’s reasoning and assessment. The Notices are expected to be published shortly. It will be interesting to understand the ICO’s reasoning behind the 45% reduction in the fine imposed.

Many commentators have suggested that Clearview AI may appeal the fine, with arguments being advanced that Clearview AI is not subject to the ICO’s jurisdiction. We believe the fine will be challenged on jurisdictional grounds. What we do not know is how Clearview AI will evidence this as it is known that its former clients include law enforcement bodies in the UK, including: the Ministry of Defence, the Metropolitan Police, and the National Crime Agency. Although it is alleged that Clearview AI Inc no longer offers its services to UK organisations, the ICO fined the company as it has customers in other countries, so the company is still using personal data of UK residents without their consent globally.

[1] https://www.nytimes.com/interactive/2021/03/18/magazine/facial-recognition-clearview-ai.html

[2] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/11/ico-issues-provisional-view-to-fine-clearview-ai-inc-over-17-million/

[3] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2022/05/ico-fines-facial-recognition-database-company-clearview-ai-inc/