Clearview AI, a controversial facial recognition technology company, has been fined £7.5 million by the UK Information Commissioner’s Office (ICO) for misusing biometric data in violation of the UK General Data Protection Regulation (GDPR). The fine comes after Clearview amassed a global database of over 20 billion images of individuals’ faces without their knowledge. The company’s database was licensed to foreign government agencies and their contractors for criminal investigations and national security purposes.
Clearview obtained its extensive image database by scraping images from the internet and using an AI facial recognition algorithm to create, store, and index images with similar facial vectors. Additionally, the company allowed its clients to upload probe images for comparison against its database. The algorithm would then deliver results based on facial similarities, providing clients with potential matches and related information.
In response to Clearview’s actions, the ICO issued the company a Monetary Penalty Notice and an Enforcement Notice, ordering Clearview to stop obtaining and using the personal data of UK residents available on the internet. The company was also required to delete the personal data belonging to UK individuals from its database.
Clearview appealed the ICO’s decision to the First-tier Tribunal, arguing that it did not breach the UK GDPR, contesting the ICO’s description of its services, and disputing the ICO’s jurisdiction to issue the Notices. However, the Tribunal upheld the ICO’s decision and fined Clearview for its data misuse.
The Tribunal’s decision shed light on the territorial scope of the UK GDPR and the applicability of Article 3(2)(b), which states that the UK GDPR applies to the processing of personal data by non-UK established controllers/processors if the processing is related to monitoring the behavior of individuals in the UK. While Clearview’s clients were engaging in the monitoring of UK individuals, the Tribunal concluded that Clearview’s processing activities fell outside the material scope of the UK GDPR because its clients were foreign law enforcement agencies.
The Tribunal also determined that Clearview acted as both a sole controller and a joint controller. As a sole controller, Clearview was responsible for the processing involved in creating and storing the image database. As a joint controller, Clearview shared responsibility with its clients for the processing related to the comparison of probe images and the delivery of search results.
The ICO has not yet confirmed whether it will appeal the Tribunal’s decision. However, it emphasized that the judgment does not remove its ability to take action against internationally based companies that process data of people in the UK, particularly those that scrape data from UK individuals. The ICO will carefully consider its next steps in response to the judgment.
The Tribunal’s analysis of the territorial scope provisions in the UK GDPR highlights the potential implications for non-UK established companies engaged in monitoring activities or providing services that enable monitoring. Such companies should conduct a thorough analysis of their activities to determine if they fall within the scope of the UK GDPR.
Overall, Clearview AI’s £7.5 million fine serves as a significant consequence for its misuse of biometric data and highlights the importance of complying with data protection regulations to safeguard individuals’ privacy and rights.
