The UK’s data protection watchdog has confirmed a penalty for controversial facial recognition company Clearview AI – today announcing a fine of just over £7.5million over a series violations of local privacy laws.
The watchdog also issued an enforcement notice, ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet; and telling him to remove UK resident information from his systems.
The American company has built a database of more than 20 billion facial images by extracting data from the public internet, such as social media services, to create an online database that it uses to populate an AI-based identity matching service that it sells to entities. such as law enforcement. The problem is that Clearview never asked individuals if they could use their selfies for this. And in many countries, it has been found to violate privacy laws.
In a statement accompanying today’s enforcement, UK Information Commissioner John Edwards said:
“Clearview AI Inc has collected multiple images of people around the world, including the UK, from various websites and social media platforms, creating a database with over 20 billion images. The company not only identifies these people, but effectively monitors their behavior and offers it as a commercial service. This is unacceptable. That’s why we’ve taken action to protect people in the UK by fining the company and issuing an enforcement notice.
“People expect their personal information to be respected, no matter where in the world it is used. This is why global companies need an international app. Working with colleagues around the world has helped us take this step and protect people from such intrusive activity.
“This international cooperation is key to protecting people’s right to privacy in 2022. This means working with regulators in other countries, as we have done in this case with our Australian colleagues. And that means working with regulators in Europe, which is why I’m meeting with them in Brussels this week so we can work together to tackle privacy breaches around the world.
“Given the high number of UK internet and social media users, Clearview AI’s database is likely to include a substantial amount of data from UK residents, which has been collected without their knowledge,” said also wrote the British watchdog in a press release.
“Although Clearview AI no longer offers its services to UK organisations, the company has customers in other countries, so the company still uses the personal data of UK residents,” he added.
The Information Commissioner’s Office (ICO) warned Clearview it could impose a financial penalty last fall, when it also ordered the US-based company to stop processing UK citizens’ data and delete all the data it held.
He confirmed those preliminary findings in today’s official application – concluding that Clearview breached a series of legal requirements.
Specifically, the ICO said Clearview had no legal basis to collect information about people; failed to use individuals’ information in a fair and transparent manner, as individuals are not aware of or reasonably expect their personal data to be used for the purposes for which Clearview uses it; has no process in place to prevent the data from being retained indefinitely; has failed to meet the higher data protection standards required for biometric data (i.e. “special category data” under the EU General Data Protection Regulation and GDPR from the United Kingdom) ; and, in another violation, Clearview requested additional personal information, including photos, when asked by members of the public whether they were in its database, thereby impeding their data access rights. “This may have deterred people who want to object to the collection and use of their data,” the ICO noted on the matter.
Clearview has been contacted to comment on the UK sanction.
One thing to note is that the level of the fine is considerably lower than the £17m+ announced by the ICO last fall in its interim order against Clearview. We asked the regulator about the reduction – although the exact amount of the fine imposed on Clearview may prove irrelevant if it refuses to pay.
International regulators have limited means to enforce confidentiality orders against foreign entities if they choose not to cooperate and lack a local representative against whom an order can be enforced.
Yet such sanctions at least limit Clearview’s ability to expand internationally – as any local office would be directly responsible to regulators in those markets.
The UK sanction is by no means the first international sanction for Clearview. The UK investigation was a joint proceeding with Australia’s privacy watchdog which also ordered the firm to stop processing citizens’ data and delete any information it had held over the past year. France and Canada also sanctioned the company. While Italy’s data protection regulator fined Clearview €20 million in March.
On its own turf, Clearview has agreed to settle a 2020 lawsuit from the American Civil Liberties Union earlier this month – which accused it of violating an Illinois law (the Biometric Information Privacy Act; BIPA) which prohibits the use of biometric data of individuals without consent.
The terms of the settlement appear to prohibit Clearview from selling or providing access to its facial recognition database to private companies and individuals nationwide in the United States, although an exception for contractors included (but with a five-year ban on supplying subcontractors within Illinois itself).
The settlement also requires Clearview to maintain an opt-out system to allow Illinois residents to block their likenesses from its facial search results — and to end a controversial practice of offering police officers free trials if those people do not get approval for their services. to test the software.
However, Clearview turned it into a win – suggesting it would respond by selling its algorithm to private companies in the US, instead of monetizing access to its database of scraped selfies.