Clearview fined by the ICO for unlawful data collection and processing

Clearview AI Inc was fined over £7.5 million, and ordered to delete photos and data of UK residents from its database. 

 

The ICO has fined Clearview AI Inc £7,552,800 for using the images of people, including those in the UK, that were scraped from the web and social media profiles to create their global online database which is geared towards facial recognition use. The enforcement notice issued by the ICO orders the company to stop collecting and using the personal data of UK residents, and to delete the data of any UK residents from its systems.

 

Clearview provides customers with a service which allows them to find information on an individual through their database,using facial recognition software. 

 

Clearview AI Inc has accumulated well over 20 billion images of faces and data of individuals all over the world from data that is publicly available on the internet and social media platforms, and used this data to create an online database. This database is intended to refine facial recognition software and practices. Internet users were uninformed about the collection and use of their images. The service provided by this company allows their customers, including the police, to upload an image of a person to the company’s app, which then compares the image to all the images in their database in order to find a match. This process typically results in the compilation of a list of images that have similar characteristics with the photo provided by the customer, and also includes a link to the websites from which those images were derived.

 

Clearview’s database likely includes a substantial amount of data from UK residents, which the UK Commissioner deems “unacceptable”.

 

Considering the volume of UK internet and social media users, it is quite likely that the company’s database includes a substantial amount of data from UK residents, which was collected without their knowledge. While Clearview has ceased offering its services to UK organisations, the company still has customers in other countries, and continues to use the personal data of UK residents, making their data available to those other international clients. In a statement from the ICO, John Edwards, UK Information Commissioner said “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

 

The ICO found that the company breached UK data protection laws, which landed Clearview fined by the ICO. 

 

Through its investigation, the ICO found that Clearview AI used the information of people in the UK in a way that is neither fair nor transparent, considering the fact that individuals were not made aware, nor would not reasonably expect that their personal data was being used in such a way. The company also has no process in place to delete data after some time, to prevent the data they have collected from being used indefinitely. Clearview also failed to have a legal basis for the collection of all this data. The data collected by the company also falls into the class of special category data, which has higher data protection standards under the UK GDPR, and Clearview AI failed to meet those data protection standards. To make matters worse, when approached by members of the public seeking to exercise their right to erasure, the company required that they send additional personal information in order to have that request fulfilled, which may have acted as a deterrent to those individuals. These infractions landed Clearview fined by the ICO, a total of over £7.5 million. The company was also ordered to delete any data concerning UK residents from its database. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Pandemic related data collection halted in Germany

Hamburg Commissioner for Data Protection and Freedom of Information has announced an end to pandemic related data collection and storage.

 

Many of the legal measures implemented to contain the coronavirus pandemic have recently come to an end in Hamburg as the hotspot regulation in Hamburg expired on April 30, 2022. While these regulations are being lifted, several obligations and powers to collect personal data are gradually being removed. Companies and public authorities in Hamburg are now expected to stop all pandemic related data collection and are encouraged to use this phase of the pandemic as an opportunity to take stock of their “corona data”. Companies are asked to check their existing databases and delete all data which is considered no longer required. Storing data in the event of a possible future worsening is now considered unnecessary and is no longer possible with the legal basis ceasing to apply.

 

Employee data which was collected under the 3G rule in Germany is required to be deleted.

 

The obligation to delete data particularly  applies to all employers who have previously queried the status of their employees under the German “3G rule”. This rule required employees to provide health data, particularly their COVID-19 status with regard to vaccination, recovery, or negative test results. Entertainment centers, like restaurants or cinemas, for example, are also now required to delete any contact data of any guests that may have been recorded in the context of the pandemic. 

 

The Hamburg Commissioner for Data Protection and Freedom of Information says that special categories of data, collected in the context of the pandemic must now be deleted. 

 

There has now been an official call to delete all sensitive health data which was collected throughout Germany, in the context of the pandemic now that the regulations which provided the legal basis for the collection and storage of this data has expired. Thomas Fuchs, the Hamburg Commissioner for Data Protection and Freedom of Information was quoted in a recent report, as saying “In the last two years we have experienced an exceptional situation in many respects. Special categories of data were also collected on a large scale. These were significant encroachments on fundamental rights, which can be justified in the context of the pandemic. With the expiry of the legal powers, this collected data must now be deleted. In some cases, we observe attempts to maintain surveillance practices or to retain collected data for other purposes and contingencies. Here it is important to do educational work and, if necessary, to intervene in a supervisory manner.” 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Protection of health data: new section on AEPD website

The AEPD has launched a new section on its website containing information and resources specific to the protection of health data.

 

The Spanish Agency for Data Protection (AEPD) recently published a new web space in the Areas of Interest section on its website, to facilitate consultation and disseminate information on the processing of health data. The aim of this initiative is to respond to the needs expressed by representatives of the health sector to have a compilation of legislation and other resources on the topic of health and data protection. Health data is considered special category data and therefore special provisions are to be made for the protection of this type of data in particular. 

 

This new section of the AEPD website contains information intended for various members of the community.

 

The resources provided by the AEPD in this new section of their website are intended for citizens, data controllers, data protection professionals, health institutions, as well as the pharmaceutical industry, among others. It is made up of seven sections which include general information on the treatment of health data and how to exercise the right of access to medical records. In addition, there are answers to questions related to medical research. It also outlines the criteria set by the AEPD based on queries raised by members of the health sector, as well as information on inspections that have been carried out. Some of the additional resources which can be found in this new section are topics related to health research and clinical trials, as well as information on personal data breaches within the health sector. 

 

Health officials and other concerned parties are encouraged to make use of these resources.

 

The new section of AEPD’s website was launched on May 3rd and contains several useful links. It is expected that the information contained therein will be updated regularly, and kept up to date with news, important legislative updates, and any personal data breaches which concern specifically health data. This new web space can be accessed via this link and can be used by anyone, to stay up to date on any developments with regards to health data. Health officials and other concerned parties are encouraged to make use of this new, very valuable resource provided by the AEPD.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.