ICO fines facial recognition database company Clearview over £7.5m

The ICO's recent fine of over £7.5m issued against Clearview AI Inc (Clearview) for using images of UK citizens scraped from the internet as part of Clearview's global online database is one of the largest that the ICO has issued to date. But it is considerably less than the £17m fine announced by the ICO in its provisional decision in November 2021. The ICO has also issued an enforcement notice ordering Clearview to cease collecting and using personal data of UK residents and to delete those data from its systems. Clearview claims that it is not subject to the ICO's jurisdiction; it has 28 days to appeal the decision.

The ICO's enforcement action follows a joint investigation with the Office of the Australian Information Commissioner. Clearview is facing scrutiny around the world over the privacy implications of its software, with enforcement action already taken by Canada, France and Italy. Recently it settled a lawsuit in the US under which it has agreed not to give access to its facial recognition database to private companies and individuals across the US.

In this briefing, we look at the reasons for the fine, Clearview's challenge to the ICO's jurisdiction and consider what may lie ahead for the regulation of facial recognition technology - a high risk area where AI and biometric data meet.

Now Reading

What did Clearview do?

Clearview's system enables customers, including law enforcement agencies, to upload a photo of a face and find matches in its database of billions of images that it has collected. It then provides links to where matches appear online. Clearview collected these images of individuals (including data subjects in the UK) from their social media platforms and other websites without the permission of the data subjects (nor the platform owners – Clearview has previously been sent cease and desist letters by Twitter, YouTube, Google and Facebook).

The ICO found that Clearview had breached UK data protection laws on the following grounds:

UK citizens were not aware of Clearview's use of their data and could not reasonably expect their data to be used in this way, and therefore Clearview failed in its fairness and transparency obligations
The company had no legal basis for collecting personal data from UK citizens
It had not met the higher standards of data protection required for processing biometric data, which counts as "special category data"
It had no processes in place to prevent data from being retained indefinitely
It also asked for additional personal information, when contacted by individuals enquiring if they were part of the database, which could have acted as disincentive to individuals exercising their right to object to their data being collected or used.

Does the ICO have jurisdiction over Clearview?

Clearview's lawyers have said that the decision to impose any fine was "incorrect as a matter of law", adding that "[Clearview] is not subject to the ICO's jurisdiction, and [it] does no business in the UK at this time". Clearview ran a similar argument previously under EU GDPR in response to the enforcement action taken by the Italian data protection authority – unsuccessfully.

The extra-territorial reach of the UK GDPR

The UK GDPR applies not only to UK companies but to companies, such as Clearview, established outside the UK but which process personal data of UK residents because they're selling goods or services in the UK or monitoring the behaviour of those data subjects.

Clearview no longer does business in the UK but its previous clients included the Metropolitan Police, the Ministry of Defence and the National Crime Agency. The ICO's position is that Clearview is subject to UK GDPR because it monitors the behaviour of UK residents whose data is stored in its database.

People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.

Clearview's rhetoric suggests that they are not going to take the decision lying down but we do not yet know if they will appeal the decision, nor, if they fail to comply, how the ICO will react (it can issue further penalties). It is however difficult for the ICO to enforce against foreign entities that don't have any local establishments, but the ICO, and its European counterparts, can still pursue local entities that are customers for Clearview's facial recognition software, which effectively impedes Clearview's expansion into the UK and EU.

Why the lower fine?

The breaches of data protection legislation in this instance were extensive and some privacy champions have argued that this situation warranted a fine of the highest available level, rather than a fine set at "just below the mid-point" of the range of penalties available to the Commissioner. In determining the level of the fine, the ICO had regard to its Regulatory Action Policy and representations from Clearview (although Clearview's representations do not appear to have affected the level of the fine either way).

The Commissioner considers that a penalty at this level would be effective, proportionate and dissuasive, particularly in its deterrent effect on others with similarly novel technology having an impact on UK data subjects

While some may wonder if this signals a change in enforcement strategy under the new Information Commissioner, John Edwards, it is common for fines issued to be substantially less than the provisional amount. This was equally true when Elizabeth Denham was at the helm: the British Airways £20m data breach fine fell from £189m; the Marriot £18m fine fell from £99m.

What is the regulatory landscape ahead?

Clearview's online data scraping practices for biometric data and its bullish approach to privacy concerns were bound to attract the attention of the regulators.

The harvesting of biometric data and its use in AI solutions will continue to be a controversial and risky area (as we have previously discussed here and here), whether for facilitating law enforcement, security or creating avatars for the metaverse, given concerns over privacy and bias. In November 2021 Facebook announced that it was shutting down its facial recognition system and deleting over one billion face images amidst "growing concerns about the use of this technology as a whole" and the uncertainty in the regulatory landscape. There is already divergence between the EU and the UK, judging by the EU's draft AI Regulation, over facial recognition technology in public spaces for example, with the EU taking a more stringent approach than the UK. In relation to the use of facial recognition technology in the area of law enforcement, in its draft guidelines published on 12 May 2022 for public consultation, the EDPB has repeated its and the EDPS' joint call for a ban on processing personal data that relies on scraping photographs accessible online.

Will the UK Government's drive to reform data protection law in order to make the UK a hub for innovation lead to a more lenient approach to enforcement in this area, as AI becomes more widespread and accessible? We'll need to see the text of the Data Reform Bill announced in the Queen's Speech to assess further: it seems unlikely that the new reforms will create a regulatory environment in the UK where practices akin to those employed by Clearview thrive without the ICO's intervention.

Read Louisa Chambers Profile