December 5, 2021

ICO announces possible £17 million fine against US facial recognition company

On November 29, 2021, the UK Information Commissioner’s Office announced its provisional intent to impose a £17 million fine on Clearview AI Inc., a US facial recognition company.  The ICO also issued a provisional notice to stop processing personal data obtained from people in the UK and delete the data gathered, based on allegations that Clearview breached UK data protection laws.  According to the ICO, Clearview enabled its customers to utilize a facial recognition tool that allowed them to locate relevant facial images by searching the company’s database of more than 10 billion images.  The ICO reports that the images were likely gathered from publicly available sources, including social media platforms, without consumers’ knowledge. 

The provisional notice was issued following a joint investigation by the ICO and the Office of the Australia Information Commission into Clearview’s personal information handling practices.  The joint investigation focused on the company’s use of personal data scraped from the World Wide Web, and its use of biometrics for facial recognition.  The ICO’s preliminary view is that Clearview violated several UK data protection laws by failing to have a process in place to ensure that data is not retained indefinitely, failing to have a lawful reason to collect the information, and failing to adhere to the higher standard of protection required for biometric data in accordance with the General Data Protection Regulation and UK GDPR.  

Clearview must now address the alleged breaches in the ICO’s Notice of Intent and Preliminary Enforcement Notice.  After considering the company’s representations, the Information Commissioner is expected to issue a final decision by mid-2022.

On November 3, 2021, as a result of its joint investigation with the ICO, the Australian Information Commissioner found that Clearview’s practice of scraping Australians’ biometric information from the Web and disclosing it through a facial recognition tool breached the Australian Privacy Act 1988.  As a result, Clearview was ordered to stop collecting facial images and biometric data from individuals in Australia, and to destroy any existing images and templates collected from Australia.

ICO News Release | ICO News Release – Joint Investigation | Australian Government Press Release | Australian Commissioner’s Determination