ICO fines Clearview AI Inc. £ 7.5 Million for the unlawful processing of personal data

Olivia Satchel

Olivia Satchel

Lawyer

The Information Commissioner’s Office (ICO) imposed a fine of £ 7.5 Million on Clearview Al Inc. for the use of images and other information obtained from the internet for their facial recognition app. The fine follows a joint investigation of the ICO and the Office of the Australian Information Commissioner (OAIC), which started in July 2020.

Background

Clearview Al Inc. runs an app for facial recognition. Users, such as the police, can upload any image of a person, which then is checked for a match against the company’s database. After the check for matches, the user receives a list of images with similar characteristics to the image uploaded as well as a link to the websites where the images were first posted. To create this database, Clearview collected more than 20 billion images of individual´s faces across the UK and other countries all over the globe from publicly available social media platforms and other publicly available information on the internet, without informing the respective data subjects of the collection and use of their data.

Cleaview Al Inc. has now stopped offering these services in the UK, however the app is still in use in other countries and the data of UK residents is still in the database.

ICO’s Justification of the fine

In July 2020, the OAIC and the ICO started their joint investigation of the app provided by Clearview Al Inc. and focused on the scraping of publicly available personal data and the use of biometrics for facial recognition.

As a result of the investigation, the ICO found that Clearview Al Inc. acted in breach of the following requirements of data protection laws, in particular of the UK GDPR:

  • Informing data subjects of the collection and use of their data contrary to Art. 13 and 14 UK GDPR;
  • Providing a legal basis for the respective processing contrary to Art. 6 and 9 UK GDPR;
  • Storage limitations for the data processed as stated in Art. 5 (1)(e) UK GDPR;
  • Meeting the standards of Art. 9 GDPR in regard to the biometric data processed; and
  • Compliance with data subject’s requests, especially the right to information and erasure contrary to Art. 15 and 17 UK GDPR. Here, Clearview Al Inc. asked for additional personal information, especially more images of the data subject, to clarify their identity. The ICO stated that this might come across as a deterrent to individuals wishing to query the collection and usage of their data.

Therefore, the ICO imposed a fine of £ 7,552,800 on Clearview Al Inc. However, this is not the end of it. The ICO also issued an enforcement notice against Clearview Al. Inc. to first of all, stop using data of UK residents and secondly, to delete all data of UK residents from the company’s systems.

The outcome of the OAIC case is not known yet, however, Clearview Al Inc. will most likely also face fines or similar sanctions in this case.

Bottom line: publicly accessible data may also only be processed under the requirements of the GDPR

This investigation and outcome underlines once more the importance of compliance with the requirements of the UK GDPR when it comes to processing personal data, and especially special categories of personal data. Companies not only have to take into account the purpose of the processing, in this case the creation of a sufficiently large database for their facial recognition app, but also the principles of lawful processing under Art. 5 UK GDPR/GDPR. This is also necessary when processing publicly accessible data.

The UK GDPR aims to ensure that data subjects are still masters of their own data, and therefore know who processes which data and to what extent. Mere public accessibility does not constitute a legal basis or permission to process the data for one’s own, more far-reaching purposes. This would contradict the objective of data protection as just explained.

Accordingly, before processing (even publicly accessible) personal data, you should always clarify the purposes of the data processing, check whether a legal basis allows you to process it, and imperatively, inform the data subjects in an easily accessible manner about the processing of their data and their rights to protect this data.

If you need assistance in evaluating these points, our experts will be happy to help you.