Clearview fined by the ICO for unlawful data collection and processing

Clearview AI Inc was fined over £7.5 million, and ordered to delete photos and data of UK residents from its database. 

 

The ICO has fined Clearview AI Inc £7,552,800 for using the images of people, including those in the UK, that were scraped from the web and social media profiles to create their global online database which is geared towards facial recognition use. The enforcement notice issued by the ICO orders the company to stop collecting and using the personal data of UK residents, and to delete the data of any UK residents from its systems.

 

Clearview provides customers with a service which allows them to find information on an individual through their database,using facial recognition software. 

 

Clearview AI Inc has accumulated well over 20 billion images of faces and data of individuals all over the world from data that is publicly available on the internet and social media platforms, and used this data to create an online database. This database is intended to refine facial recognition software and practices. Internet users were uninformed about the collection and use of their images. The service provided by this company allows their customers, including the police, to upload an image of a person to the company’s app, which then compares the image to all the images in their database in order to find a match. This process typically results in the compilation of a list of images that have similar characteristics with the photo provided by the customer, and also includes a link to the websites from which those images were derived.

 

Clearview’s database likely includes a substantial amount of data from UK residents, which the UK Commissioner deems “unacceptable”.

 

Considering the volume of UK internet and social media users, it is quite likely that the company’s database includes a substantial amount of data from UK residents, which was collected without their knowledge. While Clearview has ceased offering its services to UK organisations, the company still has customers in other countries, and continues to use the personal data of UK residents, making their data available to those other international clients. In a statement from the ICO, John Edwards, UK Information Commissioner said “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

 

The ICO found that the company breached UK data protection laws, which landed Clearview fined by the ICO. 

 

Through its investigation, the ICO found that Clearview AI used the information of people in the UK in a way that is neither fair nor transparent, considering the fact that individuals were not made aware, nor would not reasonably expect that their personal data was being used in such a way. The company also has no process in place to delete data after some time, to prevent the data they have collected from being used indefinitely. Clearview also failed to have a legal basis for the collection of all this data. The data collected by the company also falls into the class of special category data, which has higher data protection standards under the UK GDPR, and Clearview AI failed to meet those data protection standards. To make matters worse, when approached by members of the public seeking to exercise their right to erasure, the company required that they send additional personal information in order to have that request fulfilled, which may have acted as a deterrent to those individuals. These infractions landed Clearview fined by the ICO, a total of over £7.5 million. The company was also ordered to delete any data concerning UK residents from its database. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

The ICO preaches vigilance in the face of possible cyber attacks

The ICO preaches vigilance in the face of possible cyber attacks as a result of the Russia Ukraine conflict.

 

The ICO preaches vigilance, as the likelihood of cyber attacks increases amid the Russia- Ukraine war. The Commissioner, John Edwards, when questioned on the possibility of Russia- Ukraine cyber attacks spreading to the UK, says that the ICO thought it necessary to remind businesses of the importance of data security and that the conflict has brought with it an increased cyber security threat. According to this article from the Guardian, the Commissioner said that the ICO had yet to see warnings of Russian cyber retaliation for UK support of Ukraine come to fruition, but companies should check their cybersecurity, including reminding employees to report suspicious emails rather than just deleting them.

 

The ICO advises that firms should step up their vigilance in the face of increased potential for cyber attacks. 

 

Due to the imposition of sanctions on Moscow by London, cyber security experts, including the UK’s cyber security agency, warn that hackers could target Britain. Edwards said: “We have picked up on that heightened threat environment and we think it’s really important to take the opportunity to remind businesses of the importance of security over the data that they hold. This is a different era from blacking out the windows and keeping the lights off. The threats are going to come in through your inbox.” The ICO recorded a total of 1,345 “cybersecurity incidents” in the second half of 2021, including ransomware attacks, where assailants demand payment in cryptocurrency to decrypt the target’s computers, as well as phishing attacks, where the victim is tricked, often via email, into downloading malware or handing over their login details. Compared to the very same period in 2019, this statistic is up by 20%. 

 

Companies risk being fined if they do not take adequate measures to safeguard against cyber attacks. 

 

The ICO has now warned that companies which fail to take adequate measures against cyber attacks risk penalties, which can include multi million-pound fines. The ICO aims to help ensure organisations protect people’s data while enforcing data protection regulation. Other regulators in Europe have taken a similar stance of cautioning companies and organisations. The Norwegian DPA, for example, has released a statement urging all companies that export personal data from Norway to recipients in Ukraine and Russia to reconsider the legal basis for the data transfers. In addition, the Norwegian DPA sought to remind these organizations that Article 24 of the Privacy Regulation emphasises that appropriate technical and organizational measures shall be taken to protect personal data in accordance with the requirements of the Privacy Regulation, and that such measures shall be reviewed and updated as necessary. Overall, authorities are urging organizations to take the necessary measures to protect user data in this current climate, bearing in mind that the increased instability in these countries is more likely to lead to cyber security issues. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

The UK’s new Information Commissioner; John Edwards

  • The UK’s new Information Commissioner; John Edwards was recently appointed for a five year term starting January 3rd. 

 

John Edwards formally began his five year stint as the UK’s new Information Commissioner on Monday, January 3rd 2022, according to this statement released by the UK Government. Edwards ushers in the new year beginning this new role, after having served as New Zealand’s Privacy Commissioner for some time. He has also practiced law for 20 years and specialized in information law. His appointment was approved by the Digital Culture, Media and Sport Committee following a pre-appointment hearing last September. 

 

The UK’s new Information Commissioner will replace Elizabeth Denham, who  served from 2016 until November of last year. 

 

Elizabeth Denham, the former Information Commissioner, served In that capacity from 2016, until November 30th last year. From December 1st 2021 to January 2nd 2022, the ICO’s Deputy Chief Executive was appointed as the ICO’s accounting officer. To ensure continuity of regulatory decision making during the interim period, the regulatory responsibilities of the Commissioner are typically delegated to Deputy Commissioners through the ICO’s Scheme of Delegation. Edwards describes his new role as working “with those to whom we entrust our data so that they are able to respect our privacy with ease whilst still reaping the benefits of data-driven innovation.” 

 

This appointment, made by her Majesty, was advised by a committee and advisory panel. 

 

The appointment was made in accordance with the Governance Code on Public Appointments. Under the Data Protection Act, the appointment was made by Her Majesty by Letters Patent in accordance with the recommendations from the Secretary of State for Digital Culture, Media and Sport, through the Prime Minister. The ministers acted on the advice of an Advisory Assessment Panel. 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Data protection standards for adtech outlined by ICO

Data protection standards for adtech have been outlined by the ICO in order to ensure that companies safeguard people’s privacy online.

 

The ICO has called on various companies to address and eliminate the existing privacy risks associated with the adtech industry. The Information Commissioner recently published an opinion warning companies that are designing novel methods of online advertising, that compliance with data protection laws is paramount, and that the excessive collection and use of personal data needs to be curbed. While online advertising has developed to the point of being very targeted and therefore much more successful, this has been made possible by the availability and use of lots of personal data, allowing ads to be customized to the audience. Personal data must remain protected and therefore compliance to laws and standards relating to the protection of personal data is imperative.

 

 

The UK’s Information Commissioner believes that market participants should aim for solutions that are focused on individuals’ rights, freedoms and interests.

 

The ICO, in its recently issued opinion, calls for a move away from intrusive tracking technologies as these are likely to continue to pose risks and test compliance. The opinion asks companies to “embody the core concepts of data protection by design and by default, and not reinforce or replicate intrusive practices.” The Information Commissioner lists five key principles upon which any solution, proposal or initiative should be built in order to support the key considerations for design, documentation, accountability and auditability. These principles include data protection by design, user choice, accountability, purpose, and reducing harm. These principles are to be considered holistically, and any proposals should demonstrate clearly how they are being applied.

 

In order to uphold the data protection standards for adtech, the ICO provided recommendations for more specific guidance.

 

The ICO has provided several specific recommendations for companies who use adtech, to ensure that they not only remain in compliance but also keep the rights and freedoms of individuals as a priority. The UK watchdog recommends, explaining and demonstrating design choices in the architectural design decisions for solutions, ensuring the organizations that implement these solutions are sufficiently enabled to integrate the necessary safeguards. The ICO also makes it clear that the benefits and outcomes of these solutions need to be fair and transparent. Data minimization remains important as a general rule, as well as maintaining the need to protect users. The ICO recommends giving users meaningful control, and provides, in this recent opinion, steps to ensure that user control is strengthened and takes significance over processing in solution design.

 

The principles of proportionality and necessity must be considered and organisations should be able to demonstrate that they cannot reasonably achieve the required purpose in any less intrusive way, in order to justify the impact on individuals. Solutions must allow organizations to easily identify and meet the requirements of appropriate lawful basis, identifying where PECR requires consent, and where consent meets the GDPR standard. In addition, solutions must particularly address the potential for processing special category data, and allow organisations to identify the appropriate condition under which it is being processed. The aim is to allow new online advertising proposals to improve trust and confidence in the digital economy, rather than threaten that.

 

 

The Information Commissioner welcomes further input, and reserves the right to revise the views therein, based on further findings.

 

The information commissioner reserves the right to form a different view based on further findings, changes in circumstance and engagement with stakeholders. That said, the ICO is open to receiving further input that may help in understanding these developments from the perspective of data protection, or help market participants understand the broader data protection impacts of their proposals or how they may better incorporate data protection by design and default into their services.

 

Does your company have all of the mandated safeguards in place to ensure the safety of personal information collected on your website or app? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.