UK ICO to fine Clearview AI £17 million for data protection law breaches

The facial recognition company is cited for not having proper data protection processes in place or a lawful reason to collect personal information, among other violations.

facial recognition - biometric security identification
Thinkstock

The UK Information Commissioner’s Office (ICO) has announced its provisional intent to impose a potential fine of just over £17 million (about $22.7 million USD) on facial recognition firm Clearview AI, Inc., for failing to comply with data protection laws. The announcement follows a joint investigation by the ICO and the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI’s use of images, data scraped from the internet, and the use of biometrics for facial recognition.

The ICO has also issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it, coming in the wake of the conclusion of the OAIC’s investigation that found Clearview AI Inc in breach of Australian Privacy laws.

Clearview AI failed to comply with UK data protection laws

The ICO’s preliminary view is that Clearview AI has failed to comply with UK data protection laws in several ways. These include:

  • Failing to process the information of people in the UK in a way they are likely to expect or that is fair
  • Failing to have a process in place to stop the data being retained indefinitely
  • Failing to have a lawful reason for collecting the information
  • Failing to meet the higher data protection standards required for biometric data (classed as “special category data” under the GDPR and UK GDPR)
  • Failing to inform people in the UK about what is happening to their data
  • Asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed

Clearview AI – which dubs itself the “world’s largest facial network” – now has the opportunity to make representations in respect of the alleged breaches set out by the ICO. Any representations will be considered by the Information Commissioner before any final decision is made, with the proposed fine and preliminary enforcement notice subject to change or no further formal action. The ICO expects to make a final decision by mid-2022.

Commenting on the provisional decision, the UK Information Commissioner, Elizabeth Denham, said: “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.”

While Clearview AI’s services are no longer being offered in the UK, evidence gathered and analyzed suggests Clearview AI was and may be continuing to process significant volumes of UK people’s information without their knowledge, Denham added. “We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”

Potential fine “surprisingly small and lenient”

For Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, the £17m fine is surprisingly small and lenient. “Other companies, recently fined for data breaches, for example, were punished with much larger fines whereas much less personal data was stolen,” he said in a statement. “Clearview AI has allegedly collected and processed over 10 billion individual photos without notice, let alone valid consent. The personal life and privacy of many UK and EU residents are jeopardized for commercial gain stemming from the unlawful processing of personal data.”

Furthermore, under GDPR, the highest penalty threshold for a data breach is 2% of infringer’s annual turnover, and 4% for violations like unlawful processing of personal data, making this specific decision of ICO incomprehensible, Kolochenko added. “The European Data Protection Board should probably bring more clarity and uniformity to the context by issuing additional guidelines on fines.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline