Clearview AI Inc – which describes itself as the World’s Largest Facial Network – is facing a potential fine of just over £17m from the UK Information Commissioner’s Office for alleged serious breaches of the UK’s data protection laws.
The move follows the conclusion of a joint investigation by the ICO and the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI Inc’s use of images, data scraped from the Internet and the use of biometrics for facial recognition.
Customers of Clearview AI Inc can also provide an image to the company to carry out biometric searches, including facial recognition searches, on their behalf to identify relevant facial image results against a database of over 10 billion images.
According to the ICO, the images in Clearview AI Inc’s database are likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms.
The ICO said it believes that the service provided by Clearview AI Inc was used on a free trial basis by a number of UK law enforcement agencies, but that this trial was discontinued and Clearview AI Inc’s services are no longer being offered in the UK.
Even so, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it.
Moreover, the regulator’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways.
These include: failing to process the information of people in the UK in a way they are likely to expect or that is fair; failing to have a process in place to stop the data being retained indefinitely; failing to have a lawful reason for collecting the information; failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR); failing to inform people in the UK about what is happening to their data; and asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Clearview AI Inc now has the opportunity to make representations in respect of these alleged breaches set out in the Commissioner’s Notice of Intent and Preliminary Enforcement Notice.
The ICO says any representations will be carefully considered by the Information Commissioner before any final decision is made. As a result, the proposed fine and preliminary enforcement notice may be subject to change or no further formal action. It expects to make a final decision by mid-2022.
Announcing today’s provisional decision, Information Commissioner Elizabeth Denham said: “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking.
“UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.
“Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”
In response, Clearview AI chief executive Hoan Ton-That said: “I am deeply disappointed that the UK Information Commissioner has misinterpreted my technology and intentions.
“My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts…. We collect only public data from the open internet and comply with all standards of privacy and law.”
The company has already been found to have broken Australian privacy law but is seeking a review of that ruling, too.
The use of facial recognition has sparked controversy virtually since the off, with privacy campaigners warning of its intrusive nature for years.
In May, Privacy International, together with Hermes Center for Transparency & Digital Human Rights, Homo Digitalis and Max Schrems-backed organisation NOYB, filed complaints about Clearview in France, Austria, Italy, Greece and the UK.
Facial recognition tech slapped down in privacy rulings
Clearview AI whacked with multiple GDPR complaints
CMA widens probe into use of ‘murky’ online algorithms
Consumers call for AI crackdown as ICO begins probe
Authorities split on how to regulate surging AI market
Why artificial intelligence will not be taking your job