On 29 November 2021, following a joint investigation with the Office of the Australian Information Commissioner (‘OAIC’) into Clearview AI Inc’s (‘Clearview’) data processing practices, the Information Commissioner’s Office (‘ICO’) announced its provisional notice of intent to impose a fine of just over £17 million on Clearview. Additionally, the ICO issued a preliminary enforcement notice requiring Clearview to cease further processing of the personal data of data subjects in the UK and delete the data it currently holds. This is following alleged serious breaches of the UK GDPR and the Data Protection Act 2018 by the company with its biometric data collection and facial recognition app.
The OAIC has already, on 3 November 2021, found that Clearview broke national laws and issued a final order for Clearview to delete the data it held.
The ICO’s preliminary view is that Clearview, through the use of images, data scraped from the internet and biometrics for facial recognition, appears to have failed to comply with UK data protection laws, including by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
- failing to inform people in the UK about what is happening to their data; and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Although the ICO acknowledged that Clearview’s service is no longer available in the UK, its view is that Clearview may still be processing significant volumes of UK citizens’ information, gathered from publicly available information online, without their knowledge.
Clearview will now have the opportunity to submit representations in response to the alleged breaches to data protection law. The intended fine and the extent of the preliminary enforcement action in the notices could change, as a final decision from the ICO is expected by mid-2022.
Find the ICO’s provisional view here.
Find information about the ICO and OAIC’s joint investigation here.
Please contact Danny Preiskel if you have any questions.
The material contained in this article is only for general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.