Clearview AI Fined £7.5m Over Facial Recognition Data

The UK Information Commissioner’s Office (ICO) has fined controversial facial recognition company Clearview AI £7.5m and has told it to delete the data it holds on UK residents.

Clearview AI gathers what it says are publicly accessible facial images from the internet, including social media platforms such as Facebook, and provides face-matching services using its database of 20 billion images.

Its clients have included the Metropolitan Police, the Ministry of Defence, and the National Crime Agency.

But it no longer offers services in the UK, and says it does not fall under British jurisdiction.

Biometric data

The ICO says Clearview AI’s actions breach UK data protection laws, which are in line with the EU’s GDPR.

This requires individuals to give their explicit consent for the use of their data, and places further restrictions on biometric data such as facial images.

Clearview AI’s chief executive Hoan Ton-That said: “I am deeply disappointed that the UK Information Commissioner has misinterpreted my technology and intentions.

“We collect only public data from the open internet and comply with all standards of privacy and law.

“I am disheartened by the misinterpretation of Clearview AI’s technology to society.”

Information commissioner John Edwards said: “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable.

Joint investigation

“People expect that their personal information will be respected, regardless of where in the world their data is being used.”

The ICO said Clearview AI is still using the data of UK residents in services offered in other countries.

In November 2021 the agency warned Clearview AI it could face fines of up to £17m.

The UK has now joined France, Italy and Australia in taking action against the US-based company.

The fine follows a joint investigation by the ICO and the Office of the Australian Information Commissioner.

The ICO said Clearview AI had breached UK data protection laws by failing to use UK residents’ data in a fair and transparent way, not having a lawful reason for collecting the data, failing to have a process in place to stop the data from being retained indefinitely, and not meeting the higher standards required for biometric data.

Jurisdiction

In addition, it made the situation worse by requesting additional personal information, including photos, when asked by members of the public if they were in the database.

This unlawfully impeded individuals from accessing information about them, the ICO said.

Lee Wolosky, an attorney from US law firm Jenner and Block, said: “While we appreciate the ICO’s desire to reduce their monetary penalty on Clearview AI, we nevertheless stand by our position that the decision to impose any fine is incorrect as a matter of law.

“Clearview AI is not subject to the ICO’s jurisdiction, and Clearview AI does no business in the UK at this time.”

While the ICO and other countries may have difficulty enforcing the penalties, the actions do place strict limits on Clearview AI’s ability to offer services outside the US.

US settlement

Within the US, Clearview AI earlier this month settled a lawsuit from the American Civil Liberties Union, which had alleged it breached Illinois biometric data protection law.

The settlement places some restrictions on Clearview AI’s ability to sell or give away access to its database to private companies in the US, excluding government contractors.

The firm said it would instead sell the use of its facial recognition algorithm.