The Information Commissioner’s Office has suffered an embarrassing defeat at the First-Tier Tribunal after it ruled the regulator did not have the authority to fine Clearview AI £7.5m for unlawfully collecting images on British consumers without their knowledge.
The fine, issued in May 2022, was substantially less than a £17m penalty proposed in the ICO’s notice of intent issued six months earlier, but was still the third biggest under UK GDPR at that time.
It came after a joint investigation with the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI Inc’s use of people’s images, data scraping from the Internet and the use of biometric data for facial recognition.
The company’s main focus is on providing information to international law enforcement and their partners to help investigate serious crimes. Customers upload an image of a person to the company’s app, which is then checked for a match against all the images in the database. The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.
The ICO also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the Internet, and to delete the data of UK residents from its systems.
However, in its appeal, Clearview argued that the regulator lacked the power to hand down its enforcement notice and monetary penalty because the company’s challenged data processing activities fell “outside the territorial scope” of the UK GDPR.
Instead, the tribunal concluded that Clearview’s processing of UK citizens’ personal data since Brexit was only done in the furtherance of services that the company provided completely outside the UK.
Clearview, which is based in New York and does not have offices in the UK or the EU, also claimed its database is no longer available to commercial clients after a settlement last year with the American Civil Liberties Union in Illinois federal court. It is now only “offered exclusively” to non-UK law enforcement and national security agencies and their partners.
The three-member tribunal – Judge Lynn Griffin and tribunal members Stephen Shaw and Rosalind Tatam – found that while Clearview’s activities “could have an impact on UK residents even though it is not used by UK customers” that was not enough to bring these processing activities within the extraterritorial scope of the UK GDPR.
And, although the processing undertaken by the company was “related to the monitoring of data subjects’ behaviour” in the UK, the processing ultimately was not “relevant processing” for purposes of the country’s GDPR.
“Therefore, it is our conclusion that the Commissioner did not have jurisdiction to issue the [enforcement or monetary penalty notices],” the tribunal concluded.
Information Commissioner John Edwards has yet to comment on the decision. At the time of the enforcement he said: “People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.”
Clearview AI gets £7.5m fine; is facial recognition dead?
Clearview AI faces £17m fine for abusing UK data laws
Facial recognition tech slapped down in privacy rulings
Clearview AI whacked with multiple GDPR complaints
CMA widens probe into use of ‘murky’ online algorithms
Consumers call for AI crackdown as ICO begins probe
Authorities split on how to regulate surging AI market