Clearview AI fined millions in the UK: No 'lawful reason' to collect Brits' images
Notorious selfie-scraper must pay $9.43 million – less than half of predicted fine – says data regulator
Updated The UK's data protection body today made good on its threat to fine controversial facial recognition company Clearview AI, ordering it to stop scraping the personal data of residents from the internet, delete what it already has, and pay a £7.5 million ($9.43 million) fine.
The company, which is headquartered in New York, claims to have over 20 billion facial images on its databases, mostly culled from YouTube, Facebook, and Twitter. Clearview AI has developed a facial recognition tool – which it is attempting to patent – that is trained on these images. The tool attempts to match faces fed into its machine learning software with results from its enormous image database, which it claims is the largest of its kind "in the world" and which it sells (to law enforcement bodies, among other clientele) across the globe.
The move from the Information Commissioner's Office (ICO) comes after an investigation launched in 2020 in conjunction with the Australian Information Commissioner to see if Clearview had breached the Australian Privacy Act or the UK Data Protection Act 2018.
Handing down a fine that is less than half of the £17 million+ ($21.3 million+) originally envisaged, the ICO also said it was not impressed that the company had no "process in place to stop the data being retained indefinitely."
- Bosses using AI to hire candidates risk discriminating against disabled applicants
- Clearview AI promises not to sell face-recognition database to most US businesses
- Research finds data poisoning can't defeat facial recognition
- Clearview AI plans tech to ID faces as they age, seek big government deals
- Clearview's selfie-scraping AI facial recognition technology set to be patented
In addition to the fine, the selfie-scraper was also slapped with an enforcement notice ordering it to stop collating the data and delete all information of British residents from its systems.
In defense of its business model, Clearview AI's boss has previously said that the images, mostly uploaded by the data subjects themselves, were publicly available, and that it didn't see why it couldn't collate and search them, comparing its actions to that of web search giant Google. CEO Hoan Ton-That remarked at the time: "If it's public and it's out there and could be inside Google's search engine, it can be inside ours as well."
John Edwards, UK Information Commissioner, said of the action:
Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behavior and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.
The ICO found it had had breached UK's GDPR by "failing to meet the higher data protection standards required for biometric data" (classed as "special category data" under the GDPR and UK GDPR); failing to use the info in a way that is "fair and transparent"; failing to have a lawful reason for collecting it; and failing to have a process in place to stop the data being kept "indefinitely."
Finally, the ICO said the company had illegally requested "additional personal information" (including photos), when members of the public approached it to ask if they were on their books – presumably to check against images it already has. "This may have acted as a disincentive to individuals who wish to object to their data being collected and used," noted the regulator.
Privacy and cyber lawyer James Castro-Edwards, of law firm Arnold & Porter, said of the ation: "The GDPR (and the UK GDPR), which will be four years old this week, includes a number of specific requirements in relation to new technologies such as AI, which process personal data.
"As with any other processing activity, companies must ensure these systems comply with the principles, such as lawfulness, fairness and transparency, as well as those of privacy by design and by default."
We have asked Clearview AI to comment and will update when it responds. ®
Updated to add at 15:00 UTC on May 23:
Clearview AI provided a statement from Lee Wolosky, a partner at Jenner and Block, who said: "While we appreciate the ICO's desire to reduce their monetary penalty on Clearview AI, we nevertheless stand by our position that the decision to impose any fine is incorrect as a matter of law.
"Clearview AI is not subject to the ICO's jurisdiction, and Clearview AI does no business in the UK at this time."
The company's CEO, Hoan Ton-That, also provided a statement, saying he was "deeply disappointed that the UK Information Commissioner has misinterpreted my technology and intentions. I created the consequential facial recognition technology known the world over. My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts."