Information Commissioner's Office
ICO issues provisional view to fine Clearview AI Inc over £17 million
The Information Commissioner’s Office (ICO) has announced its provisional intent to impose a potential fine of just over £17 million on Clearview AI Inc – a company that describes itself as the ‘World’s Largest Facial Network’.
In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws.
This announcement follows a joint investigation by the ICO and the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI Inc’s use of images, data scraped from the internet and the use of biometrics for facial recognition. Customers of Clearview AI Inc can also provide an image to the company to carry out biometric searches, including facial recognition searches, on their behalf to identify relevant facial image results against a database of over 10 billion images.
The images in Clearview AI Inc’s database are likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms. The ICO also understands that the service provided by Clearview AI Inc was used on a free trial basis by a number of UK law enforcement agencies, but that this trial was discontinued and Clearview AI Inc’s services are no longer being offered in the UK.
The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- failing to inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Clearview AI Inc now has the opportunity to make representations in respect of these alleged breaches set out in the Commissioner’s Notice of Intent and Preliminary Enforcement Notice. Any representations will be carefully considered by the Information Commissioner before any final decision is made. As a result, the proposed fine and preliminary enforcement notice may be subject to change or no further formal action. We expect to make a final decision by mid-2022.
The ICO’s announcement follows the conclusion of the OAIC’s investigation earlier this month that found Clearview AI Inc in breach of Australian Privacy laws.
Announcing this provisional decision, the UK Information Commissioner, Elizabeth Denham, said:
“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.
“Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”
- Clearview AI Inc’s facial recognition app allows users to upload an image of an individual’s face and match it to photos of that person’s face collected from the internet. It then links to where the photos appeared. The system is reported to include a database of more than 10 billion images that Clearview AI claims to have taken or ‘scraped’ from various social media platforms and other websites.
- The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The OAIC regulates the Australian Privacy Act 1988, which applies to most Australian Government agencies and organisations with an annual turnover of more than AU$3 million, as well as those that trade in personal information. The investigation follows preliminary enquiries with Clearview AI.
- The joint investigation was conducted in accordance with the Australian Privacy Act and the UK Data Protection Act 2018. It was also conducted under the Global Privacy Assembly's Global Cross Border Enforcement Cooperation Arrangement and the MOU between the ICO and the OAIC.
Latest News from
Information Commissioner's Office
Blog: What does equality of access really mean when developing a career with a visual impairment?19/05/2022 12:25:00
On Global Accessibility Awareness Day, Paul Arnold, ICO Deputy Chief Executive and Chief Operating Officer shares his story.
Blog: A day in the life of the ICO’s information management team13/05/2022 12:25:00
“It’s important to remember the people behind the information.”
ICO response to Channel 4 ‘Inside the Metaverse’ documentary29/04/2022 12:25:00
A recent C4 Dispatches – Inside the Metaverse looked at the metaverse and how the platforms enforce against users that act inappropriately.
Conclusion of ICO investigation into unauthorised disclosure of CCTV footage from DHSC – 19 April 202220/04/2022 12:25:00
The ICO found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care (DHSC).
Statement following conclusion of ICO investigation into unauthorised disclosure of CCTV footage from DHSC13/04/2022 16:20:00
The Information Commissioner’s Office (ICO) has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care (DHSC).
Children's privacy and international collaboration12/04/2022 15:20:00
John Edwards, UK Information Commissioner, is in Washington DC this week to meet with regulators, civil society, lawmakers and tech companies, as well as present the work of the ICO at the IAPP Global Privacy Summit.
Blog: Why protecting children online in UK living rooms starts 5,000 miles away12/04/2022 09:10:00
Blog posted by: John Edwards, UK Information Commissioner, 11 April 2022.
Statement in response to open Democracy's letter08/04/2022 12:25:00
openDemocracy has issued an open letter about the Freedom of Information Act.
John Edwards article in Civil Service World – 5 April 202207/04/2022 12:25:00
Civil Service World have published an article by John Edwards, in which he discusses what he’s learned so far from his listening tour, and offers reassurance about the service that the ICO is looking to give to people and businesses.