denisismagilov - stock.adobe.com

ICO warns facial recognition company Clearview AI it could face £17m fine over privacy breaches

The UK’s information commissioner has issued a preliminary decision to fine Clearview over £17m for breaching UK data protection law and invited the company to make representations

The controversial facial recognition company Clearview AI has been warned it could face a £17m fine for multiple breaches of UK Data Protection law.

The Information Commissioner’s Office (ICO) said today that the company, which uses scraping technology to harvest photographs of people from social media and websites, is alleged to have made serious data protection breaches.

The ICO has issued Clearview AI with a provisional notice requiring it to halt the processing of data belonging to people in the UK and to delete copies of all data held on UK citizens.

The regulator has asked the company to respond to the allegations, which are set out in a preliminary notice of intent and a preliminary enforcement notice, before the ICO makes a final decision, expected by mid-2022.

Clearview AI’s legal representative, Kelly Hagedorn of law firm Jenner & Block London, said the UK ICO’s assertions were factually and legally incorrect. “The company is considering an appeal and further action,” she stated.

Largest known database

Clearview AI sells access to what it claims is the “largest known database” of more than 10 billion facial images to law enforcement agencies in the US.

The company uses algorithms to match photographs supplied by its customers against biometric data taken from websites, online news media, social media and other sites.  

It claims to have helped law enforcement officials track down hundreds of criminals, including pedophiles, terrorists and sex traffickers, and to identify victims of crime.

“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected”
Elizabeth Denham, ICO

Clearview AI provided free trials to a number of UK law enforcement agencies but has now withdrawn its services from Europe and the UK.

The UK’s data protection regulator said in a provisional notice today that it was likely that Clearview AI held data about a “substantial number” of people from the UK, which may have been gathered without their knowledge.

Elizabeth Denham, the UK’s information commissioner, said: “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected.”

Although Clearview AI is no longer offering services in the UK, Denham said evidence analysed by the ICO suggested it may “be continuing to process significant volumes of UK people’s information without their knowledge”.

The ICO said its preliminary finding was that Clearview AI had failed to process information fairly in a way that people would reasonably expect. The ICO also said in its preliminary notice that Clearview did not have a lawful reason for collecting information on UK citizens, had failed to meet the higher data protection standards required for biometric data, and had failed to have a process to stop information being retained indefinitely.

The ICO also alleged that the company had failed to inform people in the UK how it was using their data. 

Clearview AI CEO Hoan Ton-That said he was “deeply disappointed” that the UK information commissioner had misinterpreted his technology and intentions.

“My company and I have acted in the best interests of the UK and its people by assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts,” he said.

Australia action against Clearview

The ICO’s notice follows a joint investigation with the Office of the Australian Information Commissioner (OAIC).

In a decision issued in November, the OAIC found that Clearview AI had breached the privacy of Australians. It ordered the company to cease collecting facial images and biometric templates from people in Australia and to destroy existing data.

The Australian commissioner, Angelene Falk, said Clearview’s collection of sensitive information was unreasonably intrusive and unfair. She said the company’s activities carried a significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images could be searched on Clearview AI’s database.

“The indiscriminate scraping of people’s facial images, only a fraction of whom would ever be connected with law enforcement investigations, may adversely impact the personal freedoms of all Australians who perceive themselves to be under surveillance,” she said.

A patent application by the company showed that the technology could be used for other purposes, including dating, retail and granting or denying access to facilities or devices, the OAIC noted.

Clearview, which stopped offering its services to police forces in Australia after the OAIC began its investigation, has argued that the information it collected was not personal and that Clearview AI fell outside of Australian law as a US company.

European privacy complaints

Privacy International and other human rights organisations filed coordinated legal complaints against Clearview in May this year to data protection regulators in the UK, France, Austria, Italy and Greece.

They alleged that Clearview processes personal data in breach of data protection laws and used photographs posted on the internet in a way that goes beyond what users would reasonably expect.

Privacy International said data subject access requests by its staff showed that Clearview AI collects photographs of people in the UK and the European Union.

Clearview also collects metadata contained in the images, including the location where a photograph was taken, web links back to the original photograph, and other data.

“We have laws against this kind of interference with our fundamental rights, and regulators are finally starting to right these wrongs”
Lucie Audibert, Privacy International

The company uses neural networks to scan each image to uniquely identify facial features which as stored as “vectors” made up of 512 data points. These are used to convert photographs of faces into machine-readable biometric identifiers, which are hashed using a mathematical function to allow the database to be rapidly searched.

Clearview’s clients can upload images of people they wish to identify and receive any closely matching images along with metadata that shows where the image came from.

Lucie Audibert, legal officer at Privacy International, said the UK’s preliminary decision should be a wake-up call to investors in Clearview AI.

“We have laws against this kind of interference with our fundamental rights, and regulators are finally starting to right these wrongs,” she said.

Ioannis Kouvakas, Privacy International’s acting general counsel said: “Today’s announcement is not only an affirmation of our data protection rights as internet users, but also a clear message to companies whose toxic business model relies on the exploitation of the moments we and our loved ones post online.”

Clearview, which was founded in 2017, first came to the public’s attention in January 2020, when The New York Times revealed that it had been offering facial recognition services to more than 600 law enforcement agencies and at least a handful of companies for “security purposes”.

Buzzfeed subsequently reported that the company’s users included college security departments, attorney’s general and private companies, including events organisations, casino operators, fitness firms and cryptocurrency companies.

Clearview AI has faced numerous legal challenges to its privacy practices from the American Civil Liberties Union and other organisations.

The Office of the Privacy Commissioner of Canada (OPCC) published a report in February 2020 recommending that Clearview cease offering its service in Canada and delete images and biometric data collected from Canadians.

The Swedish Authority for Privacy Protection found in February 2021 that the Swedish Police Authority had unlawfully used Clearview’s services in breach of the Swedish Criminal Data Act.

Clearview boss heartbroken

Clearview AI’s CEO called for discussions with lawmakers about its work, arguing that the company had been forced to turn down requests for help from UK law enforcement agencies investigating serious crimes.

“It breaks my heart that Clearview AI has been unable to assist when receiving urgent requests from UK law enforcement agencies seeking to use this technology to investigate cases of severe sexual abuse of children in the UK,” said Hoan Ton-That.

“We collect only public data from the open internet and comply with all standards of privacy and law,” he added. “I would welcome the opportunity to engage in conversation with leaders and lawmakers so the true value of this technology, which has proven so essential to law enforcement, can continue to make communities safe.”

Clearview’s UK attorney said: “Clearview AI provides publicly available information from the internet to law enforcement agencies. To be clear, Clearview AI does not do business in the UK, and does not have any UK customers at this time.”

Next Steps

IRS facial recognition move raises bias, privacy concerns

Read more on Privacy and data protection

CIO
Security
Networking
Data Center
Data Management
Close