Clearview AI appeals the ICO's monetary penalty notice (over £7.5 million fine) and enforcement notice (order to delete certain data) (Guest blog by Clifford Chance)
Overview
In July 2020, the UK Information Commissioner’s Office (ICO) began a joint investigation with the Office of the Australian Information Commissioner into Clearview AI Inc (Clearview).
Clearview is a US-based facial recognition technology firm that has collected, without consent, over 20 billion facial images from publicly available sources to create a vast online database. Clearview's customers will upload an image to their app, which is checked for a match against their database, and a list of images with similar characteristics are provided. Clearview no longer offers its services to UK organisations, but its customers in other countries continue to use UK residents' facial images.
ICO final decision
The ICO issued its final decision on 18 May 2022, which included:
- an enforcement notice, ordering Clearview to:
- stop obtaining and using the publicly available personal data of UK residents within three months of the expiry of the appeal period; and
- delete UK residents' data from its systems within six months of the same.
- a monetary penalty notice, imposing a GBP 7,552,800 fine on Clearview for numerous breaches of UK data protection laws, namely the General Data Protection Regulation (GDPR) (in relation to pre-Brexit processing) and UK GDPR (in relation to subsequent processing) by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a lawful reason for collecting people’s information;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to meet the higher data protection standards required for biometric data (classed as 'special category data' under the GDPR and UK GDPR); and
- asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.
Clearview appeal
The First-Tier Tribunal (Information Rights) (FTT) heard Clearview's appeal in November 2023. The appeal outcome is expected imminently.
The appeal raises important questions about the use of facial recognition technology and the extent to which individuals can control their personal data. The principal point in contention concerned the ICO's jurisdiction to issue the enforcement and monetary penalty notices to Clearview.
The ICO relied on Article 3(2)(b) of the UK GDPR which provides that the UK GDPR has extra-territorial scope where the company in question engages in processing activities related to the monitoring of the behaviour of data subjects in the UK, as far as the relevant behaviour takes place within the UK.
Clearview maintained that, as a US-based and US firm, it is not subject to the GDPR or UK GDPR. Its clients are foreign governments and contractors, and their use of Clearview's services also falls outside the scope of the GDPR and UK GDPR. Moreover, Clearview argues that its processing of personal data does not involve monitoring behaviour. It provides a searchable platform of facial images (i.e., mere information) that cannot be searched using behavioural terms and, it contends, this does not amount to monitoring.
Clearview appeal outcome
Clearview is not obliged to comply with the enforcement or monetary penalty notices until the appeal is determined.
If the FTT finds against Clearview, it does not have an automatic statutory right to appeal to the Upper Tribunal. Rather, in the first instance it would need to apply to the FTT for permission to appeal. If the FTT refuses permission to appeal, Clearview must apply to the Upper Tribunal for permission to appeal.
Managing data risk in AI deployment
The UK and Australia are not alone in taking regulatory action against Clearview – other regulators that have issued orders or fines in relation to Clearview include the French, Greek, Italian and Canadian data protection authorities. With many data protection laws having extra-territorial effect, resolving which laws apply to its use of data will have significant ramifications for Clearview. More widely, the outcome of this appeal is awaited with interest by many, given the importance of understanding the territorial scope of the UK GDPR (and the potential influence on interpretation of other data protection laws with equivalent provisions).
The ICO's investigation of Clearview should also be recognised as part of a global regulatory spotlight on AI more generally. As well as preparing for emerging AI-specific laws and regulatory frameworks, companies must navigate existing laws and other legal restrictions governing how data may be processed when developing, training and using AI. Notable among these are data protection laws, intellectual property laws and contractual restrictions on use of confidential information. The action against Clearview and other recent regulatory action, such as the Italian data protection authority's order in relation to ChatGPT, are salutary reminders of the range of laws engaged by AI deployment, their jurisdictional complexity, and the need to holistically manage legal risk.
Get our tech and innovation insights straight to your inbox
Sign-up to get the latest updates and opportunities from our Technology and Innovation and AI programmes.