Clearview AI has won an appeal of the May 2022 enforcement penalty notice issued by the UK Information Commissioner’s Office (ICO) at a First-tier tribunal. Clearview AI is an American company, providing facial recognition software to law enforcement and government agencies. The ICO issued both an enforcement notice and fined Clearview AI £7.5 million for breaching the Data Protection rules by creating a database containing images of UK residents without their knowledge or consent. Built through data scraping, a process where large amounts of publicly available data from various sources (including the public facing internet) is gathered, Clearview AI’s system is akin to a search engine, in response to photo’s uploaded by a user the system provides links to matching images online (facial recognition).
Originally, the ICO concluded Clearview AI’s actions were in scope of their purview as it had deemed Clearview AI’s actions to amount to monitoring behaviour of individuals in the UK. However, Clearview AI’s appeal succeeded on the basis that although Clearview AI did monitor the behaviour of individuals in the UK, the system was only used by law enforcement agencies outside of the UK.
Following the appeal decision, the ICO has indicated that it will need to “carefully consider next steps”, however said:
“It is important to note that this judgment does not remove the ICO’s ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK, and instead covers a specific exemption around foreign law enforcement,”
With this in mind the decision does provide us with a useful prompt to remind ourselves of the legal issues which abound when considering data scraping in light of the narrow issue relied upon by Clearview AI in having the ICO’s monetary penalty notices overturned.
Whilst data scraping is not an uncommon tool utilised by businesses, organisations need to ensure they do so in a legally compliant and ethical manner. As with any personal data processing, it must be carried out in a fair, lawful and transparent manner:
Fairness: For the processing to be fair, the data subject needs to be aware of the processing and have a reasonable expectation that their personal data will be processed in this way.
Lawfulness: For the processing to be lawful, it must meet one of the conditions for lawful processing under Article 6 UK GDPR and where the processing involves special category data, one of the conditions under Article 9 of the UK GDPR.
Transparency: The selected basis or conditions should be recorded and included in the relevant privacy notice to ensure data subjects are informed and made aware of the processing.
In addition to the above, any data scraping activity will also need to meet the other data protection principles, including:
- Purpose limitation
Organisations should ensure data scraping is compatible with their processing purposes as set out.
- Data Minimisation
Organisations should also ensure that any data processed is limited to that which is necessary for and directly relevant to the purpose and ensure the amount of data scraped is as limited as possible for achievement of the purpose.
The ICO have published a joint statement with 11 other Data Protection Authorities on the privacy risks posed by unlawful data scraping, which organisations may find useful. In the joint statement, the regulators flag the risks associated with data scraping for individuals and provide organisations with key considerations to ensure their scraping activities are lawful.
Ensuring any data scraping activity is compliant with GDPR is important for organisations. If your organisation does not already have a process in place for your data scraping activities, you should seek to review current practices and implement a process. Although the fine in Clearview AI’s case has been overruled, the ICO has emphasised that this does not diminish its ability to fine and bring enforcement action on organisations processing data from individuals in the UK and those engaged in illegal data scraping activities.
How can we help?
Should you have any queries in relation to data scraping and GDPR, please contact a member of our Data Protection & Cyber Security team.
This article was co-written by Helen McBrierty, Trainee Solicitor.