Clearview’s facial recognition app allows users to upload a photo of a face and match it to one on the Internet.
The UK’s Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) opened a joint investigation into the personal information handling practices of Clearview AI Inc in July 2020.
The investigation focused on the company’s use of data scraped from the internet and the use of biometrics for facial recognition.
The ICO and OAIC worked together on the evidence-gathering stage of the investigation. As both data protection authorities operate under their own country’s legislation, any outcomes are considered separately. Each authority has also been looking separately at their respective police forces’ use of the technology.
The joint investigation has finished and the ICO is considering its next steps and any formal regulatory action that may be appropriate under the UK data protection laws.
The OAIC released its determination into Clearview AI which is published on the OAIC website.
Elizabeth Denham, Information Commissioner said the digital world is international and so regulatory work must be international too, particularly where it needs to anticipate, interpret and influence developments in tech for the global good.
“That doesn’t mean sharing the same laws or approaches, but on finding ways for our different approaches to work side by side and to co-ordinate and share the regulatory challenge where technologies impact our citizens across international borders. This helps minimise the burden on data protection authorities and those they regulate, she said. “That is what we were able to achieve in this case, and the result is an investigation that will protect consumers in both the UK and Australia.”
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the joint investigation with the ICO has been highly valuable and demonstrates the benefits of data protection regulators collaborating to support effective and proactive regulation.
“The issues raised by Clearview AI’s business practices presented novel concerns in a number of jurisdictions. By partnering together, the OAIC and ICO have been able to contribute to an international position, and shape our global regulatory environment.”
Clearview’s facial recognition app allows users to upload a photo of an individual’s face and match it to photos of that person’s face collected from the internet. It then links to where the photos appeared. The system is reported to include a database of more than three billion images that Clearview claims to have taken or ‘scraped’ from various social media platforms and other websites.
Based on its investigation the IOC has decided to impose a potential fine of just over £17 million on Clearview AI Inc – a company that describes itself as the ‘World’s Largest Facial Network’. In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws.
Customers of Clearview AI Inc can also provide an image to the company to carry out biometric searches, including facial recognition searches, on their behalf to identify relevant facial image results against a database of over 10 billion images.
The images in Clearview AI Inc’s database are likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms. The ICO also understands that the service provided by Clearview AI Inc was used on a free trial basis by a number of UK law enforcement agencies, but that this trial was discontinued and Clearview AI Inc’s services are no longer being offered in the UK.
The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- failing to inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Clearview AI Inc now has the opportunity to make representations in respect of these alleged breaches set out in the Commissioner’s Notice of Intent and Preliminary Enforcement Notice. Any representations will be carefully considered by the Information Commissioner before any final decision is made. As a result, the proposed fine and preliminary enforcement notice may be subject to change or no further formal action. We expect to make a final decision by mid-2022.