ICO orders Clearview AI to delete all UK data
The UK Information Commissioner’s Office (ICO) has fined facial recognition database firm Clearview AI more than £7.5 million (around $9.4 million) for breaching the UK GDPR. The ICO has also ordered Clearview to stop scraping and using the personal data of UK residents, and to delete the data of UK residents from its systems.
Clearview has scraped more than 20 billion images of faces and data available on the internet. Its service then allows customers – including the police – to upload an image to the Clearview app which matches it to images in the database. Close matches and a link to the source of the matches are returned to the customer.
Clearview no longer offers its services in the UK. However, the ICO believes its database will inevitably include images of UK residents, and these details are made available to users outside of the UK.
Announcing the fine and enforcement notice, John Edwards, UK Information Commissioner, said, “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behavior and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”
Key failures under the UK GDPR (and therefore also the EU GDPR) include a failure to be fair and transparent (individuals are unaware that their images may have been scraped and included in the database), and the lack of a lawful reason to collect people’s information.
This is not the first time Clearview has been sanctioned under data privacy laws. In February 2021, Canada’s privacy commissioner Daniel Therrien said, “What Clearview does is mass surveillance, and it is illegal.” He recommended that Clearview AI stop offering its facial recognition services to Canadian clients, stop collecting images of people in Canada and delete those already in its database.” Clearview stopped offering its services in Canada, but declined the other recommendations.
In December 2021, the French privacy watchdog ordered Clearview to delete French citizens’ data and to stop collecting new images. In March 2022, Italy’s privacy authorities fined Clearview almost $22 million, ordered the company to delete data relating to people in Italy, and banned it from further collection and processing of Italian information.
In May 2022, Clearview settled a case in the US brought by the ACLU. This is more limited in scope than the European enforcements. “The settlement does not require any ‘material change’ in the Clearview business model,” said Cahill Gordon, an attorney representing the company.
Although the European actions would appear to be more severe than the US action, it is worth noting that a European ‘enforcement’ notice may be entirely unenforceable. Clearview, founded in 2017, is a US company based in New York. It has no assets in Europe.
A study by Ku Leuven (a research university based in Leuven, Belgium) published on May 5, 2022 concludes:
“Despite the legal actions and decisions of national DPAs, the company is pursuing its activities. From an EU data protection perspective, the collection and processing of photographs and related information have no legal basis. The data protection principles are not respected, and data subjects cannot exercise their rights. But with no physical presence in the EU, Clearview AI does not seem to be concerned by the unenforceable decisions of the DPAs. Other alternatives will have to be found to stop the company’s activities.”