The Information Commissioner’s Office (ICO) has fined ClearView AI over £7.5m for using images of people collected from the web and social media to create a facial recognition database.
The ICO has additionally issued an enforcement notice ordering the firm to stop obtaining and using the personal data of UK residents that is publicly available on the internet, as well as to delete the data of UK residents from its systems.
This action comes after a joint investigation with the Office of the Australian Information Commissioner, which focused on Clearview’s use of people’s images, data scraping from the internet and the use of biometric data for facial recognition.
According to the ICO, Clearview AI has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media over the world to create an online database – additionally, people were not informed that their images were being collected or used in such a way.
Clearview offers a service that enables customers – including the police – to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database. From here, the app provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.
Despite Clearview no longer offering its services to UK firms, it still has customers in other countries, which means it is still using personal data of UK residents.
The ICO found Clearview breached UK data protection laws by failing to use the information of people in the UK in a way that is fair and transparent, failed to have a lawful reason for collecting people’s information, failed to have a process in place to stop the data being retained indefinitely, failed to meet the higher data protection standards required for biometric data and asked for additional personal information – including photos – when asked by members of the public if they are on their database.
UK information commissioner John Edwards said, “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.
“People expect that their personal information will be respected, regardless of where in the world their data is being used. That is why global companies need international enforcement. Working with colleagues around the world helped us take this action and protect people from such intrusive activity.
“This international cooperation is essential to protect people’s privacy rights in 2022. That means working with regulators in other countries, as we did in this case with our Australian colleagues. And it means working with regulators in Europe, which is why I am meeting them in Brussels this week so we can collaborate to tackle global privacy harms.”
Copyright © 2022 RegTech Analyst
Copyright © 2018 RegTech Analyst