The Information Commissioner's Office (“ICO”) is the UK's data protection supervisory authority charged with enforcing a host of laws that regulate communications, networking and data protection, It often works with other data protection supervisory authorities and has recently completed a joint investigation with the Office of Australian Information Commissioner (“OAIC”) in respect of the use of images, data scraped from the internet and the use of biometrics for facial recognition by Clearview AI Inc (“Clearview AI”).
What is Clearview AI?
Clearview AI was founded in 2017 and started to make waves when it turned out to have created a groundbreaking facial recognition application. You could take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared.
According to its own website, Clearview AI provides a “revolutionary intelligence platform”, powered by facial recognition technology. The platform includes a facial network of 10+ billion facial images scraped from the public internet, including news media, mugshot websites, social media (such as Facebook Instagram and LinkedIn), and other open sources.
Clearview AI says it uses its faceprint database to help law enforcement fight crimes. Unfortunately, it’s not just law enforcement. Journalists uncovered that Clearview AI also licensed the application to at least a handful of private companies for security purposes.
What does the ICO have to say about Clearview AI?
The ICO publicly announced on 29 November 2021 that Clearview AI had violated UK data protection law by:
failing to process people’s information in a way they are likely to expect or that is fair;
failing to have a process in place to prevent data being retained indefinitely;
failing to have a lawful basis for collecting the information;
failing to meet the requirements for processing special category data; and
failing to inform people about what is happening to their data.
The ICO has warned Clearview AI that it potentially faces a fine of at least £17 million for its failures. It has also issued a provisional notice prohibiting Clearview from processing personal data and has demanded that it delete personal data in its systems on UK data subjects. The ICO is expected to make a final decision by mid-2022 in respect of the fine.
What do other data protection supervisory authorities think about Clearview AI?
Clearview AI has been subject to regulatory attention elsewhere in the world:
In February 2020, the Office of the Privacy Commissioner of Canada completed its own investigation into and found several violations of national law and also ordered Clearview AI to stop processing citizens’ data and declared Clearview AI illegal. Clearview AI rejected the findings, but also said it no longer offered the service to Canadian law enforcement.
In February 2021, the Swedish Authority for Privacy Protection found that the Swedish Police Authority had unlawfully used Clearview AI’s services in breach of the Swedish Criminal Data Act 2018 and fined the country’s police authority €250,000.
In November 2021, the OAIC also issued an order to Clearview AI to delete data after finding that it had breached the privacy of Australians. It ordered the Clearview AI to cease collecting facial images and biometric templates from people in Australia and to destroy existing data. Clearview AI argued that the information it collected was not personal and that it fell outside of Australian law as a US company.
What comments have been made on this situation?
Clearview AI Inc’s CEO, Hoan Ton-That (source: The Guardian, 2021)
“I am deeply disappointed that the UK information commissioner has misinterpreted my technology and intentions. I created the consequential facial recognition technology known the world over. […] My company and I have acted in the best interests of the UK and [its] people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts. […] It breaks my heart that Clearview AI has been unable to assist when receiving urgent requests from UK law enforcement agencies seeking to use this technology to investigate cases of severe sexual abuse of children in the UK. […] I would welcome the opportunity to engage in conversation with leaders and lawmakers so the true value of this technology which has proven so essential to law enforcement can continue to make communities safe.”
UK’s information commissioner, Elizabeth Denham (source: The Guardian, 2021)
“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking.”
“Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We, therefore, want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”
Australian information commissioner, Angelene Falk (source: ComputerWeekly.com, 2021)
“The indiscriminate scraping of people’s facial images, only a fraction of whom would ever be connected with law enforcement investigations, may adversely impact the personal freedoms of all Australians who perceive themselves to be under surveillance.”
Aria Grace Law
We advise large companies and legal service providers on data protection matters and have run several end-to-end data protection programmes for many of our clients, taking out data risk and adding back data value. We are experienced data privacy experts and can assist your organisation with reviewing and enhancing your data protection program as well as with engaging with regulators such as the ICO. If you would like to find out more or instruct us to help you, please contact us at firstname.lastname@example.org.
Privacy Update by Maryam Diomande (Paralegal) and Puja Modha (Partner) at Aria Grace Law