Information Commissioner's Office
ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted
The Information Commissioner’s Office (ICO) has fined Clearview AI Inc £7,552,800 for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition.
The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.
The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI Inc’s use of people’s images, data scraping from the internet and the use of biometric data for facial recognition.
What did Clearview AI Inc do?
Clearview AI Inc has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database. People were not informed that their images were being collected or used in this way.
The company provides a service that allows customers, including the police, to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database.
The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.
Given the high number of UK internet and social media users, Clearview AI Inc’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge.
Although Clearview AI Inc no longer offers its services to UK organisations, the company has customers in other countries, so the company is still using personal data of UK residents.
John Edwards, UK Information Commissioner, yesterday said:
“Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.
“People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.
“This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. And it means working with regulators in Europe, which is why I am meeting them in Brussels this week so we can collaborate to tackle global privacy harms.”
Details of the contraventions
The ICO found that Clearview AI Inc breached UK data protection laws by:
- failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
- failing to have a lawful reason for collecting people’s information;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.
The joint investigation was conducted in accordance with the Australian Privacy Act and the UK Data Protection Act 2018. It was also conducted under the Global Privacy Assembly's Global Cross Border Enforcement Cooperation Arrangement and the MOU between the ICO and the OAIC.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
- This CMP was issued under the DPA2018 for infringements of the GDPR and UK GDPR.
- Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Former health adviser found guilty of illegally accessing patient records08/08/2022 12:25:00
A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.
Director’s Update – Looking at the future of Freedom of Information (FOI) through ICO2515/07/2022 12:25:00
This is the third in a series of updates from Warren Seddon, Director of FOI and Transparency.
UK Information Commissioner sets out focus on empowering people through information14/07/2022 11:25:00
The Information Commissioner’s Office (ICO) has set out a commitment to safeguard the information rights of the most vulnerable people, including regulatory work around children’s privacy, AI-driven discrimination, the use of algorithms within the benefits system and the impact of predatory marketing calls.
Behind the screens: ICO calls for review into use of private email and messaging apps within government11/07/2022 15:10:00
The Information Commissioner’s Office (ICO) has today called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps.
ICO and NCSC stand together against ransomware payments being made11/07/2022 12:25:00
Solicitors are being asked to play their part in keeping the UK safe online by helping to tackle the rise in organisations paying out to ransomware criminals.
ICO and Personal Information Protection Commission, South Korea, sign Memorandum of Understanding06/07/2022 10:10:00
The Information Commissioner’s Office (ICO) and the South Korean Personal Information Protection Commission (PIPC) have a strong relationship which recognises their shared common mission to uphold people’s information rights, while supporting digital innovation and economic development.
ICO sets out revised approach to public sector enforcement30/06/2022 15:05:00
The Information Commissioner’s Office (ICO) has today set out a revised approach to working more effectively with public authorities.
Statement in response to the government’s announcement on the upcoming Data Reform Bill17/06/2022 13:10:00
The government has published its response to a consultation on the upcoming Data Reform Bill.
Information Commissioner calls for an end to the excessive collection of personal information from victims of rape and serious sexual assault31/05/2022 14:05:00
The UK Information Commissioner has called on the criminal justice sector to immediately stop collecting excessive amounts of personal information from victims of rape and serious sexual assault cases.