The Information Commissioner’s Office (ICO) has fined a US-based company which describes itself as the ‘world’s largest facial network’. On 23 May, Clearview AI Inc was issued with a Monetary Penalty Notice (MPN) of £7,552,800 for breaches of the UK General Data Protection Regulation (GDPR). While substantially lower than the £17m Notice of Intent issued in November 2021, this fine shows that the new Information Commissioner, John Edwards, is willing to take on at least some of the big tech companies.

Ibrahim hasan

Ibrahim Hasan

Clearview’s online database contains 20 billion images of people’s faces and data scraped from publicly available information on the internet and social media platforms all over the world. The company allows customers, including the police, to upload an image of a person to its app, which is then checked against all the images in the database. The app then provides a list of matching images with a link to the websites from where they came.

The ICO was of the view that, given the high number of UK internet and social media users, Clearview’s database is likely to include a substantial amount of data from UK residents, gathered without their knowledge. It found the company had breached the GDPR by failing to:

  • use UK residents’ personal data in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
  • have a lawful reason for collecting personal data;
  • have a process in place to stop the data being retained indefinitely; and
  • meet the higher data protection standards required for biometric data (special category data).

The ICO also found that Clearview was asking for additional personal data, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

Alongside the MPN, the ICO issued an Enforcement Notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems. Clearview argued that the ICO lacks jurisdiction over its processing. On first reading one may have some sympathy with this argument. After all, Clearview has no operations, customers or headquarters in the UK. While Clearview is not established in the UK, the ICO was of the view that it is covered by the operation of Article 3(2) setting out the extraterritorial effect of the GDPR:

This regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:

1.    the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or

2.    the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.

The ICO took a broad view on whether the processing activities of Clearview are ‘related to’ the monitoring of a UK data subject’s behaviour within the UK and thus subject to the GDPR. The European Data Protection Board has issued Guidelines 3/2018 on the territorial scope of the GDPR. Those reading them may have understood Article 3(2)(b) to focus on the data controller analysing or predicting a data subject’s behaviour through activities such as behavioural advertising, personalised health analytics and geolocation. Recital 24 also refers to profiling ‘in order to take decisions’. Clearview argued that any monitoring and decision-making was undertaken by its customers. It was merely making the information available to them for this purpose.

The ICO found this to be irrelevant. Even though it was Clearview’s customers, rather than Clearview, conducting analysis and taking decisions about individuals, Clearview’s processing (collecting the images in the database and providing them to its customers) was ‘related to’ the monitoring activities undertaken by its customers. Clearview’s own activities were therefore subject to the GDPR. Part of the ICO’s logic for its decision was that any other view would allow an organisation established outside of the jurisdiction to ‘evade effective regulatory scrutiny’ by basing itself in a jurisdiction with lower protections for individuals.

The ICO’s action comes after a joint investigation with the Office of the Australian Information Commissioner. The latter has ordered the company to stop processing Australian citizens’ data and delete any such information it held. France and Canada have also sanctioned the company under the EU GDPR.

So what next for Clearview? The ICO has very limited means to enforce an MPN against foreign entities. Clearview has no operations or offices in the UK so it could just refuse to pay. This may be problematic from a public relations perspective as many of Clearview’s customers are law enforcement agencies in Europe who may not be willing to associate themselves with a company that has been found to have breached privacy laws. If Clearview does appeal, it will be a good opportunity to receive judicial guidance about the territorial scope of the UK GDPR.

 

Ibrahim Hasan is a solicitor and director of Act Now Training