Clearview AI, a contentious facial recognition business, might face punishment in the United Kingdom. Because of what the Information Commissioner’s Office (ICO) characterized as “alleged significant breaches” of national data protection legislation, it has also been issued a provisional notice to halt further processing of UK individuals’ data and to erase any data it already possesses.
In a joint investigation with the Australian Information Commissioner, the ICO has been looking into the tech company, which sells AI-powered identity matching to law enforcement and other paying customers via a facial recognition platform that it trained covertly on photos harvested from Internet sources (like social media platforms) (OAIC).
The OAIC had previously ordered Clearview to erase data earlier this month after discovering that it had broken Australian rules. As a result, the ICO has lagged behind the other two authorities. However, it said today that it intends to punish Clearview over £17 million (US$22.6 million) based on a number of potential violations.
Having a valid legal basis processing personal data and failing to process human data in a manner consistent with or in line with their expectations of providing adequate information to those data processed Failure to establish a mechanism to prevent data retention indefinitely. In addition, the failure to meet higher standards is one of the violations the ICO suspects “initial investigation with Clearview AI.”
The ICO contacted Clearview for comment on its preliminary findings. Clearview’s London-based attorney, Kelly Hagedorn (a partner at Jenner & Block London LLP), sent a statement (below) describing the ICO’s provisional finding as “factually and legally incorrect,” saying the company is considering an appeal and “further action,” and claiming the company does not do business in the UK (nor have any UK customers currently).
The following is the full text of Clearview’s statement: “The statements made by the UK ICO Commissioner are both factually and legally inaccurate. The corporation is considering filing an appeal and taking other steps. Clearview AI helps law enforcement organizations with publicly available information from the internet. To be clear, Clearview AI does not do business in the United Kingdom and currently has no UK customers.”
It remains to see if the ICO’s preliminary censure will followed up with a formal fine and a data processing halt order against Clearview. For one reason, the ICO’s announcement comes only a few weeks before Elizabeth Denham, the current commissioner, steps down in January to replace by New Zealand’s privacy commissioner, John Edwards.
As a result, a new broom will be in charge of determining whether the preliminary results stand up to Clearview’s arguments (and potential legal action). The ICO makes it clear in its announcement today that Clearview will have the option to make submissions, which it says it would examine before making a final judgment, which it says might take until mid-2022.
It is also worth noting that under Denham, the ICO has significantly reduced the amount of preliminary fines it has issued in connection with previous data breach cases (such as those to British Airways; and Marriott). After the internet giant challenged the ICO’s temporary censure in the Cambridge Analytica controversy, the ICO reached an agreement with Facebook.
While Facebook agreed to pay the ICO’s £500k fine in full in that case, it did so without admitting any guilt and in exchange for the ICO signing a non-disclosure agreement (which has limited what the commissioner can say in public about its correspondence with Facebook). Over all it appear as if Facebook got a good bargain, one that agreed to a regulator; Who was anxious about being sued over its decision-making procedures?