A UK data protection watchdog has confirmed a fine against controversial facial recognition company Clearview AI.
Watchdog also issued an enforcement notice ordering Clearview to stop collecting and using publicly available personal data of UK residents on the internet. Instructs the system to delete UK residents’ information.
A US company has amassed a database of over 20 billion face images by scraping data from the public internet, such as social media services, to create an online database that it uses to power an AI-powered identity matching service that it sells to businesses. such as law enforcement. The problem was that Clearview didn’t ask the individual if they could use a selfie. And it has been found to violate privacy laws in many countries.
In a statement issued today, UK Intelligence Commissioner John Edwards said:
“Clearview AI Inc has collected multiple images of people in the UK and around the world from various websites and social media platforms to create a database containing more than 20 billion images. The company can not only identify these people, but also effectively monitor their behavior and offer it as a commercial service. It is unacceptable. That’s why we’ve taken steps to protect people in the UK by imposing fines on companies and issuing enforcement notices.
“People expect their privacy to be respected no matter where the data is used in the world. This is why global companies need international enforcement. Working with colleagues around the world has helped us take action and protect people from such disruptive activities.
“This international collaboration is essential to protecting people’s privacy rights in 2022. This means we work with regulators in other countries, just as we did with our Australian colleagues in this case. And that means working with European regulators. So I can meet them in Brussels this week and work together to solve the global privacy issue.”
“Given the large number of UK internet and social media users, Clearview AI’s database is likely to contain significant amounts of data collected without the knowledge of UK residents,” the UK Watchdog wrote. press release.
“Clearview AI no longer serves UK organizations, but since the company has customers in other countries, the company is still using personal data from UK residents,” he added.
The Information Commissioner’s Office (ICO) last fall warned Clearview could impose fines, and ordered the US-based company to stop processing UK citizens’ data and erase all data it had in its possession.
Today’s official enforcement confirmed the results of these preliminary investigations. Clearview has been found to have violated a set of legal requirements.
Specifically, the ICO said that Clearview had no legitimate basis for collecting people’s information. We have not used personal information in a fair and transparent manner, given that people do not know or reasonably expect that their personal information will be used for the purposes for which it is used by Clearview. You don’t have a process in place to prevent data from being held indefinitely. It did not meet the higher data protection standards required for biometric data (also known as ‘special category data’ under EU General Data Protection Regulation and UK GDPR). In a further violation, Clearview prevented the public from accessing data by requesting additional personal information, including photos, when asked if it was in the database. The ICO commented on this, saying, “This may have served to discourage individuals from opposing data collection and use.”
Clearview has been contacted for comment on the UK sanctions.
One thing to note is that the fine level is significantly lower than the £17M+ announced in an interim order against Clearview last fall. We asked regulators about the reduction. Although the exact amount may prove irrelevant if Clearview refuses to pay.
International regulators have limited means of enforcing privacy orders against foreign entities if they do not cooperate and do not have a local representative to enforce the order.
Nevertheless, such sanctions at least limit Clearview’s ability to expand internationally. This is because all local offices are directly accountable to the regulators in their respective markets.
The UK penalty is not the first international sanctions against Clearview. A UK investigation, in a joint process with an Australian privacy watchdog, has ordered the company to stop processing citizen data and delete all information it had in the past year. France and Canada also sanctioned the company. Italy’s data protection regulator fined Clearview 20 million euros in March.
Clearview agreed to settle a 2020 lawsuit from the American Civil Liberties Union earlier this month. .
While the terms of the agreement appear to prohibit Clearview from selling or transferring access to its facial recognition databases to private companies and individuals across the United States, it does include an exception for government contractors (but includes a ban it provides to contractors within five years). ) Illinois itself).
The settlement also addresses the controversial practice of Clearview maintaining an opt-out system for Illinois residents to block their likeness from face search results and offering free trials to officers if the individual is not approved through the department. It asks you to quit. Test the software.
But Clearview prevailed. Instead of monetizing access to a database of scrapped selfies, it has proposed that they respond by selling the algorithm to a private company in the United States.