ICO hits facial recognition firm with £7.5m fine and order to delete all UK data
Regulator finds that collection of online images was not fair, transparent or lawful
The Information Commissioner’s Office has hit US facial-recognition firm Clearview AI with a fine of more than £7.5m and an order to delete all data on UK residents and collect no further such information in the future.
The data-protection watchdog – which teamed up with its Australian counterpart to jointly investigate the firm – found that it collected data in a way that was not fair or transparent, and for which there was no lawful reason.
The ICO said that the New York-based company “has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database”.
This data is then used to power a service through which customers – most notably law-enforcement agencies – can use an app to check images against the tech firm’s database to try and find possible matches.
“The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from,” the ICO said.
Although Clearview AI no longer serves UK customers, London’s Metropolitan Police Service is understood to have previously used the company’s technology, as have the National Crime Agency and the Ministry of Defence.
But, even in the absence of any UK clients, the ICO concluded that the image database “is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge” – and can still be accessed by users of Clearview AI’s services in other countries.
The regulator has thus ordered that the company must delete from its database all images and other data of UK residents – and stop collecting any such data from now on.
The tech firm must also pay a fine of £7,552,800 – a figure which has been reduced from a proposed penalty of £17m set out by the ICO six months ago.
The punishment comes after the investigation concluded that, among the company’s various breaches of data-protection law, were a failure “to have a process in place to stop the data being retained indefinitely… [and] to meet the higher data-protection standards required for biometric data [which is] classed as ‘special category data’ under the GDPR and UK GDPR”.
The ICO also reported that, when members of the public made enquiries about whether their data was stored in the image database, they were asked “for additional personal information, including photos… [which] may have acted as a disincentive to individuals who wish to object to their data being collected and used”.
Information commissioner John Edwards said: “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice. People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.”
He added: “This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. And it means working with regulators in Europe, which is why I am meeting them in Brussels this week so we can collaborate to tackle global privacy harms.”
Clearview AI chief executive Hoan Ton-That said: “I am deeply disappointed that the UK Information Commissioner has misinterpreted my technology and intentions. We collect only public data from the open internet and comply with all standards of privacy and law. I am disheartened by the misinterpretation of Clearview AI's technology to society.”
The ICO’s punishment is not the first brush with the law for the controversial tech outfit, with regulators in Italy having fined the company €20m earlier this year. In a lawsuit brought by the American Civil Liberties Union, Clearview AI also recently reached a settlement in which it agreed to no longer sell its existing services to private businesses or individuals; the firm is previously understood to have counter major retailers, banks and telecoms providers among its clients.
Shortly after reaching its settlement with the ACLU, the firm unveiled its ‘Clearview Consent’ product for businesses, which will not tap into the 20 billion-strong image database but, instead, will only enable processes in which the data subject has provided their consent.
Department is censured for the second time in 10 days after probe reveals it took seven months to notify watchdog of breach
Commissioner claims that fining public bodies simply creates a ‘money-go-round’
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first