ICO proposes to fine Clearview £17 million for data protection breaches

Investigation leads to fine for Clearview

Following a joint investigation with the Office of the Australian Information Commissioner (OAIC), the Information Commissioner’s Office (ICO) have announced they intend to fine Clearview AI Inc, a facial recognition app, over £17 million for multiple data breaches. The ICO have also issued a provisional notice to stop further processing of the personal data of people in the UK and to delete the data. This follows alleged serious breaches of the UK’s data protection laws.

Clearview’s facial recognition app

Clearview have developed a facial recognition app that allows its users to upload an image and match the photo to other photos of that person on the internet. It is believed that Clearview’s database includes more than 10 billion images, which have been sourced from (or ”scraped”) from social media platforms. Scraping is the practice of electronically scanning and obtaining data from public websites, usually without data subjects’ prior consent or knowledge.

The ICO and OAIC found that the app had failed to comply with data protection standards in their respective jurisdictions. Both Facebook and Twitter served Clearview with cease and desist letters in 2020 in relation to their scraping of data from their social media websites. 

The ICO’s preliminary decision

The ICO found that Clearview had gathered a substantial amount of data from public websites relating to UK citizens without their knowledge or consent. It also found that the software had been offered on a free-trial basis to a number of UK law enforcement agencies. However, this trial by UK law enforcement is no longer active.

In reaching its preliminary view, the ICO found that Clearview had breached its data privacy obligations by failing to:

• Process personal data in a way data subjects were likely to expect or that is fair
• Have a process in place to stop data being retained indefinitely
• Have a lawful reason for collecting the information
• Meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the UK GDPR) and
• Inform individuals of how their data was being used

Clearview had also asked for additional personal information, including photos, which may have acted as a disincentive to individuals who wished to object to their data being processed. 

What happens next?

The ICO’s findings are preliminary and Clearview have been invited to respond. It has issued a public statement, with  founder and CEO, Hoan Ton-That stating Clearview “have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts. We collect only public data from the open internet and comply with all standards of privacy and law."

Once the ICO receives Clearview’s response, we can expect a final decision from the ICO mid-2022. We previously saw the ICO significantly reduce their proposed fines against British Airways and Marriott Inc following the companies’ responses. We will need to wait and see if there is a similar outcome here.

If you need help with any data protection issue visit our data protection service page for more information.