The Information Commissioner’s Office (ICO) announced on 29 November 2021 its “provisional intent to impose a potential fine of just over £17 million on Clearview AI inc (Clearview)” . The ICO has issued a “provisional notice to stop further processing of personal data of people in the UK and to delete it following alleged serious breaches of data protection laws" following its joint investigation with the Office of the Australian Information Commissioner.
Clearview, which proudly declares it is the “world’s largest facial network”, combined images, data scraped from the internet - particularly social media sites - and biometrics for facial recognition. The database has more than 10 billion images, and the ICO believes that many of the images in Clearview’s database “are likely to include” a large number of people from the UK and may have been gathered without knowledge or consent from information publicly available online.
Clearview customers can provide an image to the company who will then carry out biometric searches, including facial recognition searches, to identify relevant facial image results against its extensive database. The attraction for law enforcement agencies becomes clear, however, following a free trial by “a number of UK law enforcement agencies” the trial was discontinued.
While Clearview’s services are no longer being offered in the UK, the ICO’s initial view is that Clearview has failed to comply with UK data protection laws in a number of ways, including:
- “failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- failing to inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.”
The list is rather damning, but not unsurprising given the alleged behaviour and the potential size of the fine.
Clearview refute the ICO’s findings saying they are “factually and legally incorrect”, that they only provided publicly available information and are deciding whether to appeal. The ICO has made clear they will “carefully consider...” any representations, as well as managing expectations that the proposed fine may be “subject to change” and go as far as to say there may be “no further action”. This sounds like the ICO hedging its bets but with John Edwards, the new Information Commissioner, due to take up his post in January 2022 this may be the best way to handle any uncertainty. The final decision is not expected until the middle of next year but with interest in AI, biometrics and particularly facial recognition it will certainly be one to watch.
“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking.”