The controversial facial recognition company, Clearview AI, has been warned it could face a £17 million fine for multiple breaches of UK Data Protection law.
The Information Commissioner said today that the company, which uses scraping technology to harvest photographs of people from social media and web sites is alleged to have made serious data protection breaches.
The ICO has issued the company with a provisional notice requiring it to halt the processing of data belonging to people in the UK and to delete copies of all data held on UK citizens.
The regulator has asked Clearview to respond to the allegations, which are set out in a preliminary notice of intent and a preliminary enforcement notice, before the ICO makes a final decision, expected by mid-2022.
Clearview AI’s legal representative, Kelly Hagedorn of law firm Jenner & Block London said that the UK Commissioner’s assertions were factually and legally incorrect. “The company is considering an appeal and further action.”
Largest known database
Clearview AI sells access to what it claims is the “largest known database” of more than 10 billion facial images to law enforcement agencies in the US.
The company uses algorithms to match photographs supplied by its customers against biometric data taken from websites, online news media, social media and other sites.
It claims to have helped law enforcement officials track down hundreds of criminals, including pedophiles, terrorists and sex traffickers, and to identify victims of crime.
Clearview AI provided free trials to a number of UK law enforcement agencies but has now withdrawn its services from Europe and the UK.
The UK’s data protection regulator said in a provisional notice today that Clearview AI is likely to hold data about a “substantial number” of people from the UK, which may have been gathered without their knowledge.
Elizabeth Denham, the Information Commissioner said, “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected.”
Although Clearview AI is no longer offering services in the UK, Denham said that evidence analysed by the ICO suggests that it may “be continuing to process significant volumes of UK people’s information without their knowledge.”
The ICO said that its preliminary finding is that Clearview AI failed to process information fairly in a way that people would reasonably expect.
The ICO also said in its preliminary notice that Clearview did not have a lawful reason for collecting information on UK citizens, failed to meet the higher data protection standards required for biometric data, and failed to have a process to stop information being retained indefinitely.
The ICO also alleges that the company failed to inform people in the UK how it was using their data. Clearview also asked for additional personal information, including photographs which may have deterred people who wished to object to have their data processed.
Hoan Ton-That, CEO of Clearview AI said that he was “deeply disappointed” that the UK information Commissioner has misinterpreted his technology and intentions.
“My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts,” he said.
Australia action against Clearview
The ICO’s notice follows a joint investigation with the Office of the Australian Information Commissioner (OAIC).
In a decision issued in November, OAIC found that Clearview AI had breached the privacy of Australians.
It ordered the company to cease collecting facial images and biometric templates from people in Australia and to destroy existing data.
The Australian Commissioner, Angelene Falk, said that Clearview’s collection of sensitive information was unreasonably intrusive and unfair.
She said that the company’s activities carried a significant risk of harm to individuals, including vulnerable groups such as children, and victims of crime, whose images can be searched on Clearview AI’s database.
“The indiscriminate scraping of people’s facial images, only a fraction of whom would ever be connected with law enforcement investigations, may adversely impact the personal freedoms of all Australians who perceive themselves to be under surveillance,” she said.
A patent application by the company showed that the technology could be used for other purposes, including dating, retail, and granting or denying access to facilities or devices, OAIC noted.
Clearview, which stopped offering its services to police forces in Australia after the OAIC began its investigation, has argued that the information it collected was not personal information and that Clearview AI fell outside of Australian law as a US company.
European privacy complaints
Privacy International and other human rights organisations filed co-ordinated legal complaints against Clearview in May this year to data protection regulators in the UK, France, Austria, Italy and Greece.
They alleged that Clearview processes personal data in breach of data protection law and used photographs posted on the internet in a way that goes beyond what users would reasonably expect.
Privacy International said that data subject access requests by its staff showed that Clearview AI collects photographs of people in the UK and the European Union.
Clearview also collects metadata contained in the images, including the location where the photograph was taken, web links back to the original photograph, and other data.
The company uses neural networks to scan each image to uniquely identify facial features which as stored as “vectors” made up of 512 data points.
These are used to convert photographs of faces into machine-readable biometric identifiers, which are hashed using a mathematical function to allow the database to be rapidly searched.
Clearview’s clients can upload images of people they wish to identify and receive any closely matching images along with metadata that shows where the image came from.
Lucie Audibert, Legal Officer at Privacy International said the UK’s preliminary decision should be a wake-up call to investors in Clearview AI.
“We have laws against this kind of interference with our fundamental rights, and regulators are finally starting to right these wrongs,” she said.
Ioannis Kouvakas, PI’s Acting General Counsel said, “Today’s announcement is not only an affirmation of our data protection rights as Internet users, but also a clear message to companies whose toxic business model relies on the exploitation of the moments we and our loved ones post online”.
Clearview, which was founded in 2017, first came to the public’s attention in January 2020, when The New York Times revealed that it had been offering facial recognition services to more than 600 law enforcement agencies and at least a handful of companies for “security purposes”.
Buzzfeed subsequently reported that the company’s users included college security departments, attorney’s general and private companies, including events organisations, casino operators, fitness firms and cryptocurrency companies.
The company has faced numerous legal challenges to its privacy practices from the American Civil Liberties Union and other organisations.
The Office of the Privacy Commissioner of Canada (OPCC) published a report in February 2020 recommending that Clearview cease offering its service in Canada and delete images and biometric data collected from Canadians.
The Swedish Authority for Privacy Protection found in February 2021 that the Swedish Police Authority had unlawfully used Clearview’s services in breach of the Swedish Criminal Data Act.
Clearview boss ‘heartbroken”
Hoan Ton-That, CEO of Clearview AI called for discussions with law makers about its work, arguing that the company had been forced to turn down requests for help from UK law enforcement agencies investigating serious crimes.
“It breaks my heart that Clearview AI has been unable to assist when receiving urgent requests from UK law enforcement agencies seeking to use this technology to investigate cases of severe sexual abuse of children in the UK.”
“We collect only public data from the open internet and comply with all standards of privacy and law,” he said
“I would welcome the opportunity to engage in conversation with leaders and lawmakers so the true value of this technology which has proven so essential to law enforcement can continue to make communities safe,” he said.
Clearview’s UK attorney, said: “Clearview AI provides publicly available information from the internet to law enforcement agencies. To be clear, Clearview AI does not do business in the UK, and does not have any UK customers at this time.”