The ICO’s enforcement action, following a joint investigation with the Office of the Australian Information Commissioner, serves as a serious warning to companies using biometric data for facial recognition.
Clearview AI is a US based company which gathers images from the internet to create a global facial recognition database. It is estimated that the company has stored more than 20 billion facial images. The potential benefits of such a database are apparent, especially to law enforcement agencies which can use the database to track and identify criminals. In fact, Clearview AI has frequently published success stories in the US where its database has assisted in criminal investigations.
Whilst there are clear benefits to the database, the method in which Clearview AI gathers such data has raised material data protection concerns. In particular, the company takes publicly available images from the likes of Facebook, Instagram and other online sources without the user knowing or obtaining permission. This was found to be a clear breach of UK data protection law as individuals could be identified and Clearview AI was effectively monitoring individual behaviour.
Breaches of UK data protection law identified include the following:
- no lawful basis for collecting the data;
- failure to collect data in a fair and transparent way;
- failure to have in place a process to stop the data being retained; and
- failure to meet the standards required for biometric data.
Clearview AI sought to argue that its operations in the UK had ceased. However, this was rejected by the ICO as UK data protection law has territorial effect in that it applies where personal data of UK residents are being processed overseas. Therefore, whilst Clearview did not offer services in the UK, it offered services to organisations in other countries which made use of UK residents’ personal data.
AI was fined £7,552,800 as a result by the ICO. In addition, an enforcement notice was issued to Clearview AI which required the company to stop obtaining and using publicly available personal data of UK residents and to delete the data of UK residents which it current stores.
John Edwards, U.K. Information Commissioner, said: “People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity. This international co-operation is essential to protect people’s privacy rights in 2022.”
The enforcement action against Clearview AI sends a strong reminder to organisations outside the UK that UK data protection law can still apply to them. Moreover, a failure to comply with those rules can result in international co-operation between data protection authorities and lead to fines and/or other enforcement action in multiple jurisdictions. Organisations outside the UK, therefore, should carefully consider whether they are subject to and complying with UK data protection law.
How can we help?
Our specialist Data Protection & Cyber Security team can assist organisations both in the UK and outside the UK determine the application of UK data protection law and help them comply.
This article was co-written by Haris Saleem, Trainee Solicitor.