06 Dec 2021, 9:30 am
US tech company Clearview AI has been ordered to stop processing and delete any personal data associated with people in the UK and faces a potential £17 million fine, under proposals published by the UK Information Commissioner’s Office (ICO).
Clearview AI develops facial recognition software, widely used by US law enforcement agencies and private companies, that scrapes images and biometric data from the internet to identify people.
In a preliminary enforcement notice earlier this week, the ICO said a Clearview database of over 10 billion online images – used by its clients to carry out biometric searches - was likely to include the data of a substantial number of people from the UK.
The regulator warned that the data might have been gathered from social media platforms and other publicly available information online, without people’s knowledge.
Announcing the proposed £17m fine, the ICO also ordered the company to stop processing the personal data of people in the UK and to delete it.
Rosie Nance, data protection law specialist at Pinsent Masons, said: “The notice to stop further processing of the personal data of people in the UK sends a strong message that the ICO will not permit the use of technologies that disregard UK data protection law.”
“Much is likely to be made of whether the ICO will impose a fine of just over £17 million, or whether Clearview AI will end up with a smaller fine following representations.”
“But ultimately, even a large fine may not be as effective a deterrent as an order preventing it from scraping the personal data of people in the UK from the web,” Nance added.
The ICO’s notice questioned whether Clearview had a lawful reason for collecting data on UK citizens, and accused the company of failing to have a process in place to stop the data being retained indefinitely.
It said Clearview also failed to meet the higher data protection standards required for collecting biometric data, classed as ‘special category data’ under UK GDPR.
Clearview now has the chance to make representations to the Information Commissioner before a final decision is made in mid-2022.
The ICO’s notice comes after a 2020 investigation by the European Data Protection Board (EDPB) concluded that Clearview’s facial recognition software does not meet the conditions set out in the EU’s Law Enforcement Directive.
Alongside investigations in several US states, authorities in Austria, France, Greece, and Italy are also currently investigating the firm.