Clearview AI Inc’s facial recognition app allows users to upload an image of an individual’s face and match it to photos of that person’s face collected from the internet. It then links to where the photos appeared. The system is reported to include a database of more than 10 billion images that Clearview AI claims to have taken or ‘scraped’ from various social media platforms and other websites.
The ICO has announced its provisional intent to impose a potential fine of just over £17 million on Clearview AI Inc, In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws.
The announcement follows a joint investigation by the ICO and the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI Inc’s use of images, data scraped from the internet and the use of biometrics for facial recognition. Customers of Clearview AI Inc can also provide an image to the company to carry out biometric searches, including facial recognition searches, on their behalf to identify relevant facial image results against its database.
The images in Clearview AI Inc’s database are likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms. The ICO also understands that the service provided by Clearview AI Inc was used on a free trial basis by a number of UK law enforcement agencies, but that this trial was discontinued and Clearview AI Inc’s services are no longer being offered in the UK.
The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- failing to inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Clearview AI Inc may now make representations about the alleged breaches of data protection legislation. These will be considered before the ICO makes its final decision. As a result, the proposed fine and preliminary enforcement notice may be subject to change or the ICO may take no further formal action. The ICO expects to make a final decision by mid-2022.
The ICO’s announcement follows the recent conclusion of the OAIC’s investigation that found Clearview AI Inc in breach of Australian privacy laws.