Clearview AI Inc receives provisional ICO fine of £17m

The Information Commissioner’s Office (ICO) has recently issued a Notice of Intent and Preliminary Enforcement Notice against Clearview AI Inc, over concerns that its ‘data scraping’ and biometric facial recognition platform breaches data protection laws. The Notices carry with them a provisional fine of £17m, which is towards the upper end of potential penalties issued by the ICO in the last 12 months.

At the heart of Clearview’s platform is a database which has been compiled by AI technology from facial and biometric imagery found on the surface web level of the internet. Customers are able to provide an image to the company for the purposes of carrying out searches against its database, which is thought to contain approximately 10 billion images, or possibly more. The ICO’s concerns have stemmed from the fact that the database is likely to contain data belonging to a large number of UK-domiciled individuals.

Specifically, Clearview’s practices are said to have fallen foul of UK data protection laws on a number of fronts:

• failing to process the information of people in a way they are likely to expect or that is fair;
• failing to have a process in place to stop the relevant data from being retained indefinitely;
• failing to have a lawful reason for collecting the information;
• failing to meet the high data protection standards required for biometric data (which is classed as ‘special category data’ under the GDPR and UK GDPR);
• failing to inform people about what is happening to their data; and
• asking for additional personal information (including photo imagery), which may have acted as a disincentive to individuals who wish to object to their data being processed in this manner.

Clearview will now have the opportunity to make representations in response to the Notice of Intent and Preliminary Enforcement Notice. As is often the way with provisional fines that have been issued by the ICO, the representations made by those facing enforcement action are likely to play a pivotal role in reducing the overall severity of penalty that becomes payable at the point a final decision is made.

One doesn’t need to look further than last year’s ICO fine issued to British Airways in the sum of £20m, for an example of this. Given the fact, however, that the original Notice of Intent indicated a possible fine in the region of £183m, it appears as though a company’s efforts to mitigate the breach and cooperate with the ICO will not go unnoticed.

This is now the second time within the space of a month that Clearview has found itself in hot water with data protection regulators. In November, a joint investigation by the ICO and Office of the Australian Information Commissioner (OAIC) found that Clearview’s AI platform monetised personal data for a purpose that went far beyond all reasonable expectation. In doing so, it breached Australian privacy laws.

Whilst the OAIC’s final decision did not impose a fine upon Clearview, it was ordered to cease all data collecting practices and destroy the database that had been compiled from the personal information of Australian-domiciled individuals.

Back in the UK and hot on the heels of the ICO’s pursuit of Clearview, is the even more recent news that the Cabinet Office has been fined £500,000 for disclosing postal addresses of the 2020 New Years Honours recipients. Although this penalty is modest by comparison, it demonstrates that any body (whether private, pubic or of government function) is strictly obligated to abide by data protection laws.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.