Clearview AI fined and ordered to remove data

Clearview AI fined by the Italian SA after various GDPR violations, and ordered to remove data and appoint an EU representative.

 

The company Clearview AI, has been fined by yet another EU watchdog, according to this report from the EDPB. The Italian SA has also ordered the company to delete the data of Italians from its database. The company has built its database of approximately 10 billion faces from pictures scraped across the internet. The Italian SA, Garante launched an investigation after a report on several issues regarding facial recognition products which were offered by the Clearview AI Inc.The investigation revealed several issues. As a result, the Italian SA imposed a fine amounting to EUR 20 million, ordered a ban on any further collection and processing, ordered the erasure of the data, including biometric data, processed by Clearview’s facial recognition system with regard to persons in the Italian territory and also ordered the company to designate a representative in the EU.

 

The investigation by the Italian SA uncovered several infringement by Clearview AI Inc. 

 

The Italian SA’s inquiries were spurred following complaints and alerts and found that Clearview AI allows tracking Italian nationals and persons located in Italy. The inquiries and assessment by the Italian SA found several infringements by Clearview AI Inc. The personal data held by the company were processed unlawfully without an appropriate legal basis. This includes biometric and geolocation information.  In addition, the company violated several principles of the GDPR, including transparency, purpose limitation, and storage limitation. Clearview AI neglected to provide the information required by Articles 13-14 of the GDPR when personal data is collected from data subjects. Additionally, the company failed to designate a representative in the EU.

 

Clearview AI was fined €20 million and ordered to remove all Italian user data. 

 

The Italian DP imposed a fine of €20 million on the company. In addition, Garante imposed a ban on any further collection, by web scraping techniques, of images and the relevant metadata of persons in the Italian territory.  A ban was also imposed on further processing of the standard and biometric data that are handled by the Company via its facial recognition system concerning persons in the Italian territory. The Authority also ordered the erasure of all data, including biometric data, processed by its facial recognition system with regard to persons in the Italian territory. The company is also required to designate a representative in the territory of the European Union, as ordered by Garante. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

AI powered age verification systems being tested at UK supermarkets for alcohol purchases.

AI powered age verification systems are now being tested at a few UK supermarkets to verify the ages of people attempting to buy alcohol at self-checkout.

 UK supermarkets have begun testing an automated age verification system at self-checkouts when buying alcohol. According to this BBC report, this system will utilize cameras that can estimate a customer’s age. The system is being installed in some supermarkets and will require any customer who is estimated to be under 25, to present ID to a staff member in order to check out. The system uses a camera which will guess their age using algorithms trained on a database of anonymousfaces. Customers must consent to the use of this system.

Producers of this system maintain that it is not facial recognition and that images are not retained.

The system is being produced with the intention of speeding up the self-checkout process by eliminating the need to wait for a member of staff to verify the ages of customers using self-checkout. The producer, a company called Yoti, has stressed that this system is not facial recognition and that images taken by the cameras are not saved. This is intended to protect customers’ identities. Unlike facial recognition, the system does not match faces to individuals’ faces from a database, but rather compares the face to the anonymous faces in the database in order to guess a customer’s age. According to Robin Tombs, chief executive of Yoti, “Our age-verification solutions are helping retailers like Asda meet the requirements of regulators worldwide and keep pace with consumer demands for fast and convenient services, while preserving people’s privacy.”

The producers of this AI powered age verification systems claim that scanned images are never stored, nor are they ever shown to anyone. 

This system has been tested on over 125,000 faces between the ages of six and 16. On average the system was able to guess the age of participants to within 1.5 – 2.2 years among 16-20 year olds. While there have been several concerns about privacy with regard to the use of facial recognition in public spaces, the producers of this age verification system maintain that this system is not the same as facial recognition, and that their personal data is not processed, and images are not saved. The company’s website states that the facial age estimation system can be embedded into an app, website or POS terminal. The AI powered technology can estimate an individual’s age within seconds without the need to provide identification, and without the need to store the image. It goes on to note that the image will never be seen by anyone. 

The system might not be free from potential compliance issues though. According to Dr Bostjan Makarovic, Aphaia’s Managing Partner, the system still processes one’s facial features and perceived age, then bases an automated decision on one’s right to buy a certain item upon such profiling. The implementation of one’s right to obtain human intervention will therefore be crucial.

“These systems may also raise discrimination concerns if the data used to train them was not high-quality data, therefore an AI ethics assessment may also be required to ensure full compliance” points out Cristina Contero Almagro, partner in Aphaia. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

VIII IAB Spain Digital Advertising Regulation Summit Overview

The VIII IAB Spain Digital Advertising Regulation Summit was hosted online on Wednesday 2nd February.

 

The VIII edition of the IAB Spain Digital Advertising Regulation Summit took place last Wednesday 2nd February in an online half-day event which was sponsored by Google, OneTrust and PrimCity. 

 

The event

The IAB Spain Digital Advertising Regulation Summit is a forum for debate on the latest regulation initiatives that may impact the digital sector, bringing together the most influential industry leaders, professionals, organisations, public bodies and other stakeholders to share and discuss their views and experiences on the matter.

The following topics were addressed in this year’s edition: 

  • Digital Markets Act and Digital Services Act;
  • Spain’s Audiovisual Act; 
  • GDPR and ePrivacy;
  • Metaverse; 
  • Trustworthy AI; 
  • Augmented reality and virtual reality; 
  • Spain’s Digital Services Tax Act; 
  • Cookies and targeted advertising and
  • Application of existing liability regimes to emerging digital technologies.

As a member of the ethics committee of EU-funded research and innovation projects, Aphaia was invited to talk about trustworthy AI and its regulation. 

 

AI: Does it need to be regulated in order to be trustworthy?

Aphaia participated as an AI expert as part of the “7 minutes, 7 legal topics” sessions. We were given the opportunity to go through the existing AI regulation framework and initiatives and elaborate on how the current approach may impact the use of this technology by the wider society.

Our speech was focused on the following points:

  • AI HLEG Ethics Guidelines and Assessment List for Trustworthy AI;
  • AI civil liability regime and
  • EU Artificial Intelligence Act.

While it is important to make sure that there are rules in place that govern the use of AI systems and the impact of this technology on society, we should not forget that the existing legal framework is still applicable, meaning that whereas there might not be specific rules that an AI system is subject to, there are other legal requirements that should be complied with, such as data protection and intellectual property laws.

Did you miss it?

The VIII IAB Spain Digital Advertising Regulation Summit was recorded and it will be available on IAB Spain’s Youtube channel in the next following days. 

If you want to learn more about AI regulation and ethics, you can visit our vlog.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CLEARVIEW AI ordered to delete photos by French DPA; CNIL

CLEARVIEW AI, ordered to delete photos by the French DPA after investigation revealed unlawful collection and processing of photos from the Internet.

 

CLEARVIEW AI, and the facial recognition software the company produces were first reported to the CNIL in May of 2020. This led to an investigation which uncovered two GDPR infractions; the unlawful processing of personal data, and the lack of sufficient consideration of the rights of the individual, particularly their right to request access to their data. As a result, the CNIL has ordered CLEARVIEW AI to cease the collection and use of data from people on French territory without legal basis, and to facilitate access to data by data subjects. In addition CLEARVIEW AI was ordered to comply with requests to have data erased. The CNIL has given the company two months to comply with these requests sent in their formal notice.

 

CLEARVIEW AI developed a facial recognition system which uses a database of photos which the company had neither consent, nor legal basis to process.

 

CLEARVIEW AI developed a facial recognition software of which the database is built on photographs and videos extracted from the internet’s publicly accessible media. The company does not receive consent of the data subjects whose photos are being used to feed its software. There is also no legal basis for the processing of this personal data. As a result the company was found to be in breach of Article 6 of the GDPR. The collection of data of tens of millions of individuals in France territory without legitimate interest is also considered particularly intrusive.

 

“It should be noted that the fact that personal data is publicly available does not mean that it can be freely used. The GDPR applies to publicly available personal data as well, therefore a basis of Article 6 is required in order to process it lawfully. If this basis is legitimate interest, a Legitimate Interest Assessment needs to be performed” comments Cristina Contero Almagro, Partner in Aphaia

CNIL also found CLEARVIEW AI in breach of articles 12, 15 and 17 of the GDPR as individuals found difficulty in exercising their rights with the company.

 

The many complaints received by the CNIL pointed to an issue with individuals’ rights being infringed upon by the CLEARVIEW AI, particularly the right of access for data subjects and the right to erasure. The company was found to have been limiting the exercise of the right of access to only data collected during the 12 month period preceding the request. In addition individuals were only being allowed to exercise this ride twice a year by CLEARVIEW AI, and without justification. The company was found to only respond to certain requests after an excessive number of requests that come from the same person. When requests were made to exercise the right to erasure, it was reported that the company either did not respond at all, or provided incomplete responses. CLEARVIEW AI has since been put on notice by CNIL to come into compliance, cease unlawful processing and delete all data processed unlawfully within a two month period.

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessmentsAI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.