Clearview AI Inc was fined £7,552,800 by the Information Commissioner’s Office (ICO) for collecting photographs of individuals from the web and social media to construct a worldwide online database that could be used for face recognition.
📣 Update:
Clearview AI has emerged victorious in its appeal against a 7.5 million GBP fine that was initially imposed by the U.K. Information Commissioner’s Office in 2021. The panel of judges from the First-tier Tribunal, overseeing the appeal, acknowledged that Clearview AI indeed conducted “data processing related to monitoring the behavior of individuals in the UK.” However, they determined that the ICO lacked the authority to levy the penalty on Clearview AI because the company’s primary user base consisted of law enforcement agencies located outside the U.K., which are not subject to the provisions of the GDPR.
The ICO also issued an enforcement notice, directing the firm to stop accessing and exploiting personal data on UK residents that is freely available on the internet, as well as to erase UK resident data from its systems.
Clearview AI Inc’s usage of people’s photos, data scraping from the internet, and the use of biometric data for face recognition were all investigated jointly by the ICO and the Office of the Australian Information Commissioner (OAIC).
Who is Clearview?
Customers, including the police, can upload an image of a person to the company’s app, which is then compared to all of the photographs in the database.
The software then displays a list of photographs with comparable features to the customer’s photo, along with a link to the websites where those images were obtained.
Given a large number of UK internet and social media users, Clearview AI Inc’s database is likely to contain a significant quantity of data collected without their consent from UK people.
Although Clearview AI Inc no longer provides services to UK businesses, the company has customers in other countries, thus personal data from UK people are being used.
Clearview AI Inc, according to the ICO, violated UK data protection legislation by:
- failing to use people’s information in the UK in a fair and transparent manner, provided that people are not informed or would not reasonably expect their personal data to be used in this way;
- failing to have a legal basis for collecting people’s data; failing to have a framework in place to prevent data from being kept forever;
- failing to fulfill the stricter data protection requirements necessary for biometric data (referred to as “special category data” under the GDPR and UK GDPR);
- requesting more personal information, including images, when asked whether they are on their database by members of the public. Individuals who want to object to their data being gathered and utilized may have been discouraged by this.
