Clearview AI Inc was fined over £7.5 million, and ordered to delete photos and data of UK residents from its database.
The ICO has fined Clearview AI Inc £7,552,800 for using the images of people, including those in the UK, that were scraped from the web and social media profiles to create their global online database which is geared towards facial recognition use. The enforcement notice issued by the ICO orders the company to stop collecting and using the personal data of UK residents, and to delete the data of any UK residents from its systems.
Clearview provides customers with a service which allows them to find information on an individual through their database,using facial recognition software.
Clearview AI Inc has accumulated well over 20 billion images of faces and data of individuals all over the world from data that is publicly available on the internet and social media platforms, and used this data to create an online database. This database is intended to refine facial recognition software and practices. Internet users were uninformed about the collection and use of their images. The service provided by this company allows their customers, including the police, to upload an image of a person to the company’s app, which then compares the image to all the images in their database in order to find a match. This process typically results in the compilation of a list of images that have similar characteristics with the photo provided by the customer, and also includes a link to the websites from which those images were derived.
Clearview’s database likely includes a substantial amount of data from UK residents, which the UK Commissioner deems “unacceptable”.
Considering the volume of UK internet and social media users, it is quite likely that the company’s database includes a substantial amount of data from UK residents, which was collected without their knowledge. While Clearview has ceased offering its services to UK organisations, the company still has customers in other countries, and continues to use the personal data of UK residents, making their data available to those other international clients. In a statement from the ICO, John Edwards, UK Information Commissioner said “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”
The ICO found that the company breached UK data protection laws, which landed Clearview fined by the ICO.
Through its investigation, the ICO found that Clearview AI used the information of people in the UK in a way that is neither fair nor transparent, considering the fact that individuals were not made aware, nor would not reasonably expect that their personal data was being used in such a way. The company also has no process in place to delete data after some time, to prevent the data they have collected from being used indefinitely. Clearview also failed to have a legal basis for the collection of all this data. The data collected by the company also falls into the class of special category data, which has higher data protection standards under the UK GDPR, and Clearview AI failed to meet those data protection standards. To make matters worse, when approached by members of the public seeking to exercise their right to erasure, the company required that they send additional personal information in order to have that request fulfilled, which may have acted as a deterrent to those individuals. These infractions landed Clearview fined by the ICO, a total of over £7.5 million. The company was also ordered to delete any data concerning UK residents from its database.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.