The Information Commissioner’s Office (ICO) announced a few days ago its preliminary intention to impose a fine on Clearview AI Inc. of over £17 million.
AI is a facial recognition platform based in the US, which allows its users to carry out biometric searches, including facial recognition searches, through Clearview AI’s database. That database is comprised of over 10 billion facial images taken from public sources, such as news media, mugshot sites, and social media. Users can also upload an image onto the platform in order to carry out a biometric search.
The individuals whose photos have been collected and added to the database did not consent to the use of their personal data in this way, nor were they ever made aware. Whilst Clearview AI has discontinued the availability of the service in the , the ICO found that the company may still be processing significant personal data of UK individuals without their knowledge.
Following a joint investigation with the Office of the Australian Information Commissioner – who recently found that the company also breached Australian’s data protection laws – the ICO found that Clearview AI breached UK data protection laws as follows:
- the processing is carried out in a way that is (in the context of the information being processed or how it was obtained) nor expected by the individuals concerned;
- Clearview AI has no retention process in place and therefore it seems that the data is retained indefinitely;
- Clearview AI has no lawful reason to collect the personal data;
- Clearview AI failed to meet higher data protection standards which are required when processing special categories of data (as is biometric data);
- the individuals concerned were not made aware of this processing; and
- their procedure to respond to objections by individuals is not straightforward and is therefore disincentivising for those individuals.
The ICO has now given the opportunity for Clearview AI to respond to these alleged breaches and, depending on the responses, the ICO might amend the proposed sanction. The ICO is expecting to make a final decision by mid-2022.
Whilst the fine can be appealed, the ICO’s decision, in this case, shows that, after a slow start, enforcement by local regulators of data protection laws (made more robust by GDPR in 2018) is starting to gain momentum. Businesses should not be complacent and assess that a regulator will not look into what they are doing, and that is particularly true with new technologies (such as facial recognition software and AI). If your business is driven by data, get in touch with our Data Privacy Team to make sure your processing structures fit with what you do, and how you operate
This article was written by: Deborah Tastiel, Associate and Specialist in Intellectual Property and Technology Law