UK privacy watchdog fines Clearview AI £7.5 million for breaking data protection laws

The UK Information Commissioner’s Office (ICO) has fined facial recognition company Clearview AI Inc £7,552,800 for breaking data protection laws over its use of images of people’s faces and data from publicly available information. The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents and to delete the data of UK residents from its systems.

The enforcement action comes in the wake of a joint investigation with the Office of the Australian Information Commissioner (OAIC) which focused on Clearview AI Inc’s use of people’s images, data scraping from the internet, and the use of biometric data for facial recognition. The £7,552,800 fine is less than half of the £17 million initially proposed by the ICO in November 2021.

Clearview AI failed to inform people about data collection

According to a posting on the ICO’s website, Clearview AI Inc. has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database. People were not informed that their images were being collected or used in this way. “Given the high number of UK internet and social media users, Clearview AI Inc.’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge,” the ICO stated. “Although Clearview AI Inc. no longer offers its services to UK organisations, the company has customers in other countries, so the company is still using personal data of UK residents.”

Commenting on the fine, UK Information Commissioner John Edwards said that the ICO has acted to protect UK residents. “People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.”

Clearview AI breached UK data protection law in several ways

The ICO found that Clearview AI had broken UK data protection law in several ways:

• Failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way.
• Failing to have a lawful reason for collecting people’s information.
• Failing to have a process in place to stop the data being retained indefinitely.
• Failing to meet the higher data protection standards required for biometric data (classed as “special category data” under the GDPR and UK GDPR).
• Asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

Any monetary penalty is paid into the Consolidated Fund, which is the UK government’s general bank account at the Bank of England and is not kept by the ICO.