The UK Information Commissioners’ Office (ICO) has fined Clearview AI, a US-based facial recognition provider, just over £7.5 million for collecting and processing images of UK residents in breach of UK data protection laws.
Clearview has created a global facial recognition database by collecting images from the internet. Whilst Clearview is not the first company to have used this technology, the size of its database sets it apart. It has amassed over 20 billion photographs of people’s faces from across the globe together with information about who they are. Users of the company’s system can upload a photo and the system then finds matches from its database, along with links to the websites from where those images came. All of the images, metadata and URLs held in Clearview’s database, despite being sourced from publically available web sources, including news websites, Twitter, Facebook, YouTube and LinkedIn, constitute personal data.
The ICO found that Clearview breached UK data protection laws, in several ways including failing to:
- use information of UK residents in a fair and transparent way;
- have a lawful reason for collecting people’s information;
- have a process in place to stop the data being retained indefinitely; and
- meet the higher data protection standards required for biometric data.
As well as the fine imposed, the ICO has issued an enforcement notice ordering Clearview to stop obtaining and using publically available personal data of UK residents and to delete all data about UK residents from its systems.
International enforcement of data protection laws
The ICO’s enforcement action highlights the difficulty of effectively regulating global companies such as Clearview. This enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner into Clearview’s use of images, data scraping and the use of biometric data in relation to facial recognition. In the ICO’s press release, the UK Information Commissioner, John Edwards, states that “international cooperation is essential to protect people’s privacy rights.” He goes on to say he is meeting European regulators to discuss collaborating to tackle global privacy harms so it appears the ICO will favour an international enforcement approach for such cases going forwards.
Clearview disputes the ICO’s fine on the basis that it is not subject to the ICO’s jurisdiction; it does not have any presence in the UK and does no business in the UK currently. The ICO’s position is that (i) whilst Clearview no longer offers its services to UK organisations, the company has customers in other countries so it is still using personal data of UK residents and (ii) when Clearview’s customers use its product they are effectively monitoring the behaviour of the individuals whose images they upload and/or access. It is this monitoring which brings Clearview within the ambit of UK data protection laws.
It remains to be seen whether Clearview will appeal the ICO’s decision or simply refuse to pay. If the latter, the ICO may obtain an order for payment of the fine from the High Court but, as Clearview has no presence in the UK, enforcement may still prove problematic.
Practical compliance with enforcement notice
The enforcement notice orders Clearview to stop obtaining the personal data of UK residents, and to delete the data of UK residents from its systems. Literal compliance with this, which would require the company to identify all UK residents on their database, is not realistic. The ICO, in recognition of this, refers to US proceedings (Mutnick v Clearview AI) where Clearview took the following measures:
- Blocking all photos in the database that were geolocated in Illinois from being searched;
- Constructing a ‘geofence’ around Illinois;
- Deciding that it will not collect facial vectors from images that contain metadata associated with Illinois; and
- Deciding that it will not collect facial vectors from images stored on servers that are displaying Illinois IP addresses or websites with URLs containing keywords such as “Chicago” or “Illinois”.
The ICO has indicated that adopting steps comparable to those set out above in relation to UK residents would be enough to show compliance with the requirements of the enforcement notice, showing that it is prepared to take a pragmatic approach to the regulation of AI collected data.
A question of proportionality
The data protection issues presented by this enforcement action against Clearview show both the jurisdictional and practical difficulties in regulating data processing activities of global companies operating in the AI sector where progress is, to a large extent, built on companies creating substantial public datasets scraped from the internet. Governments are presented with the balancing act of encouraging innovation and technological advancement whilst also protecting the privacy of their citizens.
AI and data protection appears to be an area which has currently attracted the attention of the UK government; the Office for Artificial Intelligence is due to publish a White Paper dealing with governing and regulating AI and the government is in the process of reviewing aspects of the UK’s data protection regime, including its relationship with AI technologies.
It will be interesting to see how policy develops in this fast-changing area. In the meantime, the Clearview fine shows us that those companies who develop and use AI technologies still have to face up to their responsibilities under data protection and privacy rules.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at June 2022.