THE INFORMATION Commissioner’s Office (ICO) has fined Clearview AI Inc the substantial sum of £7,552,800 for using images of people in the UK – and elsewhere – that were collected from the Internet and social media to create a global online database that could be used for facial recognition.
The ICO has also issued an Enforcement Notice ordering the company to stop obtaining and using the personal data of UK residents that’s publicly available on the Internet and to delete the data of UK residents from its systems.
The ICO’s action follows on from a joint investigation conducted alongside the Office of the Australian Information Commissioner, which focused on Clearview AI Inc’s use of people’s images, data scraping from the Internet and the use of biometric data for facial recognition.
What did Clearview AI Inc do?
Clearview AI Inc has collected more than 20 billion images of people’s faces and data from publicly available information on the Internet and social media platforms all over the world to create an online database. Individuals were not informed that their images were being collected or used in this way.
The company provides a service that allows customers, including the police service, to upload an image of a person to the company’s app, which is then checked for a match against all of the images in the database.
The app then provides a list of images that have similar characteristics with the photograph provided by the customer, with a link to the websites from where those images came from.
Given the high number of UK Internet and social media users, Clearview AI Inc’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge.
Although Clearview AI Inc no longer offers its services to UK organisations, the company has customers in other countries. That being so, the organisation is still using the personal data of UK residents.
John Edwards, the UK’s Information Commissioner, stated: “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, thereby creating a database holding more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That’s unacceptable. This is why we have acted to protect people in the UK by both fining the company and issuing an Enforcement Notice.”
Edwards continued: “People expect that their personal information will be respected, regardless of where in the world their data is being used. That’s why global companies need international enforcement. Working with colleagues around the world has helped us to take this action and protect people from such intrusive activity.”
Further, Edwards noted: “This international co-operation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. It also means working with regulators in Europe.”
Details of the contraventions
The ICO found that Clearview AI Inc breached UK data protection laws by:
*failing to use the information of people in the UK in a way that’s fair and transparent, given that individuals are not made aware of – or would not reasonably expect – their personal data being used in this way
*failing to have a lawful reason for collecting people’s information
*failing to have a process in place to stop the data being retained indefinitely
*failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the General Data Protection Regulation and the UK GDPR)
*asking for additional personal information, including photographs, when asked by members of the public if they are on their database (this may have acted as a disincentive to individuals who wish to object to their data being collected and used)
The joint investigation was conducted in accordance with the Australian Privacy Act and the UK Data Protection Act 2018. It was also conducted under the Global Privacy Assembly’s Global Cross-Border Enforcement Co-operation Arrangement and the Memorandum of Understanding signed between the ICO and the Office of the Australian Information Commissioner.