Following a joint investigation by the UK Information Commissioner’s Office and the Office of the Australian Information Commissioner, a fine of £7.5 million has been imposed on Clearview AI, a facial recognition technology company headquartered in New York.
Clearview AI’s business involves the application of facial recognition technology to the company’s database of billions of images collected from public websites and social media. The company’s clients, including law enforcement, are given access to the database and to Clearview AI’s algorithmic search engine, which allows them to upload an image and find a match within the database, and then link back to the website or social media site from which the match was drawn. The investigators found that Clearview AI collected over 20 billion facial images – including images of UK residents — without informing or obtaining the consent of the people whose images were collected.
The ICO found that both the original collection of the images, and their use by Clearview AI and its customers, infringed the UK General Data Protection Regulation. As a controller within the meaning of the UK GDPR, Clearview AI infringed the data protection principles set forth in Articles 5(1)(a) and (e) of the statute regarding the lawful processing of data and length of time the data is held, as well as:
- Article 6 of the statute, by not having a lawful basis for the processing of personal data;
- Article 14, by not providing the required information to data subjects;
- Article 9, due to the special category of data to which facial images belong;
- Article 35, for not fulfilling the duty to carry out the required Data Protection Impact Assessment, and;
- Articles 15, 16, 17, 21, and 22, for not respecting the rights of data subjects.
Noting that the parallel provisions of the GDPR applied to Clearview AI’s conduct prior to the effective date of the UK GDPR, and that the company’s infringement was ongoing, the ICO ordered Clearview AI to pay a £7,552,800 penalty, to delete the personal data of UK residents from the company’s database, to refrain from further processing of the personal data of UK residents, and to refrain from offering Clearview database services to UK customers. In the event the company wishes to engage in any of the enjoined activities, it must carry out a Data Protection Impact Assessment and submit the results to the ICO.
Clearview AI has been the subject of investigations by several data protection enforcement agencies, including Italy’s Garante per la Protezione dei Dati Personali, which fined the company over €20 million in March 2022, and the Commission Nationale de l’Informatique et des Libertés, which ordered Clearview AI in December 2021 to cease collecting and using the data of persons on French territory, and to destroy the data it had collected.