Clearview provides a service that allows customers, including the police, to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database. The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.
In May 2022, the Information Commissioner’s office fined Clearview AI Inc £7,552,800 for using images of people that were collected from websites and social media. The images were used to create a global online database for facial recognition.
The ICO also issued an enforcement notice, requiring Clearview AI to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.
The ICO found that Clearview AI Inc breached UK data protection laws by:
- failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
- failing to have a lawful reason for collecting people’s information;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR); and
- asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.
Clearview appealed this fine. It said that the ICO did not have the jurisdiction to issue it because the processing is not within the scope of the UK GDPR / GDPR.
The First-Tier Tribunal has now issued its decision in Clearview AI Inc v The Information Commissioner [2023] UKFTT 819 overturning the ICO’s enforcement notice and monetary penalty notice. In conclusion, the appeal was successful because Clearview was used solely by law enforcement bodies outside the UK. Although Clearview did not carry out data processing related to monitoring the behaviour of people in the UK, the tribunal said that the ICO did not have jurisdiction to take enforcement action or issue a fine.
The case is likely to go to a further appeal.