UK Information Commissioner’s Office (ICO) fines Clearview AI £7.5m

Summary

On 23 May 2022, the UK's ICO announced that it had fined Clearview AI, a US-based facial recognition firm, £7.5 million.

The fine was imposed on the company over its illegal practice of collecting and storing pictures of individuals from social media platforms without the individuals' consent.

The fine follows a joint "provisional" announcement in November 2021 between the ICO and the Office for the Australian Information Commissioner to fine Clearview £17 million. While the ICO has reduced the fine after taking into consideration some of Clearview's representations, the fine is still the third largest ever to be imposed by the ICO. 

Enforcement notice

The ICO also issued an enforcement notice ordering Clearview to:

• remove all UK citizens' data from its systems which, according to the ICO, forms part of its database of more than 20 billion images of people;

• stop obtaining and using the personal data of UK residents. While Clearview's services are no longer being offered in the UK (where previous clients included the National Crime Agency and the Metropolitan Police), the company still has customers abroad and was therefore still using UK residents' data.

The UK information commissioner, John Edwards, stated that "the company not only enables identification of those people but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable".

Basis of ICO's decision

Clearview's AI allows a user to upload an image of a face and find matches in Clearview's extensive database. The software then provides links to a list of images that are similar to the one uploaded, effectively creating a search engine for facial identity.

This was found to have breached UK privacy law on the basis that: (i)  personal data is not being used in a way that is fair and transparent to UK individuals; (ii) there is no lawful reason for collecting this data; (iii) Clearview did not establish a process to prevent  the data from being retained indefinitely; and (iv) Clearview failed to meet the higher data protection standards required for biometric data.

Recent trend against Clearview

The ICO's decision follows similar action taken against Clearview in other jurisdictions. Regulators in France, Australia and Italy have ordered the company to delete its facial recognition data in the last 6 months (and, in the case of Italy, the regulator fined Clearview €20 million on similar grounds).

As well as regulators, tech giants such as Google, Twitter and Facebook, have sent Clearview  cease and desist letters over the company violating their terms of service through scraping and collecting data from their platforms.

Last week, as part of a settlement in a lawsuit brought against Clearview in Illinois, Clearview  agreed to ban private businesses and individuals in the US from accessing its database. Clearview  will only be able to offer its services to law enforcement and federal agencies in the US (outside Illinois).

Key message and reflections

The ICO's fine against Clearview, and similar recent action, reinforces the message from data regulators: collecting and using biometric data, without adhering to the relevant legislation which applies to it - even where that data is publicly available - will not be permitted.  

While the UK has not yet seen much in the way of disputes arising from AI (let alone the processing of biometric data by AI) such claims remain a distinct possibility, and the imposition of this fine may provide a further nudge for claimants, litigation funders and claimant law firms in this direction.  The growth in the use of big data and personal data used for the training, testing and deployment of AI, means the potential for breaches continues to grow.  In particular, data controllers could find themselves vulnerable to allegations of breaches of Article 14, 15 (the transparency requirements) and 22 (automated processing) UK GDPR.  Litigation concerning similar breaches of GDPR has already been brought in the Netherlands and, along with this Clearview ruling, may inspire UK Claimants.