Clearview AI fined £17 million for breaching UK data protection laws

The UK’s Information Commissioner’s Office (ICO) has provisionally fined the facial recognition company Clearview AI £17 million ($22.6 million) for breaching UK data protection laws. It said that Clearview allegedly failed to inform citizens that it was collecting billions of their photos, among other transgressions. It has also (again, provisionally) ordered it to stop further processing of residents’ personal data.

The regulator said that Clearview apparently failed to process people’s data “in a way that they likely expect or that is fair.” It also alleged that the company failed to have a lawful reason to collect the data, didn’t meet GDPR standards for biometric data, failed to have a process that prevents data from being retained indefinitely and failed to inform UK residents what was happening to their data.

The ICO noted that Clearview’s services were used on a free trial basis by a number of UK law enforcement agencies, “but that this trial was discontinued and Clearview AI Inc’s services are no longer being offered in the UK.”

The images in Clearview AI Inc’s database are likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms.

The UK and Australia opened up a joint investigation of Clearview AI last year. Regulators were concerned with Clearview’s practice of scraping data and gathering photos from social media site like Facebook. It sells that data to law enforcement agencies, purportedly allowing them to identify criminals or victims. However, the company’s business practices have raised numerous privacy concerns. 

Clearview AI said it was considering an appeal, according to The New York Times. “[Clearview only] provides publicly available information from the internet to law enforcement agencies,” said company lawyer Kelly Hagedorn in a statement. “My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors and other victims of unscrupulous acts,” added Clearview AI chief executive Hoan Ton-That in a separate statement.

Earlier this month, Australia’s regular issued a similar ruling, saying Clearview AI breached the privacy of residents by scraping their biometric information. The country’s regulator, the OAIC, ordered Clearview to “cease collecting facial images and biometric templates from individuals in Australia and destroy all facial images and biometric templates collected.”  

In the US, the ACLU recently sued Clearview for violating Illinois state laws. Twitter, Google and YouTube have all sent cease-and-desist letters to the company, alleging that it violates their terms of service. Facebook has also demanded that Clearview stop scraping its data. 

The fine would be the first Clearview has faced, the company told the NYT. It can still contest the ruling with the Commissioner, so the fine and enforcement “may be subject to change,” the ICO wrote. The ICO expects to make a final decision by mid-2022.