Kevin McDade: Face off – facial recognition company in potential £17 million fine from ICO
On 29 November 2021, the UK Information Commissioner’s Office (ICO) announced its provisional intent to impose a potential fine of just over £17 million on Clearview AI Inc, a facial recognition company, writes Kevin McDade.
In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any data held following alleged serious breaches of the UK’s data protection legislation.
Who are Clearview?
A start-up which has grown rapidly in recent years, Clearview sell access to its database of over 10 billion facial images. It allows its customers (primarily US law enforcement) agencies to search their images within Clearview’s own databases and the Clearview algorithm identifies matches.
The photos in the Clearview database are scraped from a number of publicly available sources, such as news sites and social media pages. This process makes use of biometrics and facial recognition through AI.
UK Data Protection Requirements
By collecting photos and other data of individuals based in the UK, Clearview would be subject to the UK data protection legislation, regardless of the fact that the services aren’t provided in the UK. Firstly, there needs to be a lawful basis for the processing of the personal data. There are six lawful bases in relation to the processing of personal data, including consent and legitimate interests. These are set out in Article 6 of the UK GDPR.
Where the personal data involved is “special category”, there are further requirements. Special category data is personal data which is particularly sensitive in nature. One example is biometric data used for identification purposes. In order to lawfully process special category data, a processor must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. These further requirements include, for example, explicit consent.
In addition to the requirements for lawful basis for data processing, the UK GDPR sets out a number rights for individuals, which include: the right to be informed (i.e. provided with details of the processing); right to erasure and the right to restrict/object to processing. In addition, to these specific requirements, there are overarching principles for processing personal data - including lawfulness, fairness and transparency.
What is the ICO’s view?
The ICO noted “significant concerns that personal data was processed in a way that nobody in the UK will have expected”.
The preliminary view is suggests that Clearview has failed to comply with UK data protection legislation in several ways including by:
- failing to process the information of people in the UK in a way they are likely to expect or that is fair;
- failing to have a process in place to stop the data being retained indefinitely;
- failing to have a lawful reason for collecting the information;
- failing to meet the higher data protection standards required for biometric data;
- failing to inform people in the UK about the processing; and
- requiring further data (such as further photographs) from data subjects wishing to object to processing.
Clearly, these issues relate to the fundamental requirements of data protection legislation indicated above, so it is perhaps unsurprising that the ICO has taken such a strong stance.
What’s next for Clearview?
Clearview has a chance to make representations in respect of these alleged breaches and the ICO will make a decision in mid-2022.
The action taken may therefore change and we have certainly seen the levels of fines change from the levels set out in the ICO’s initial notices recently. The UK investigation is connected to an Australian one and Clearview may also face further action in other jurisdictions, with privacy campaigners filing coordinated legal complaints against Clearview in the last year.
Clearview could therefore, as well as the ICO fine, face significant reductions in its use of data (and therefore its business model). This is in addition to the reputational damage which has been caused.
Lessons to be learned?
This is a clear warning to start-ups that even in times of rapid growth, to be aware of the legal requirements associated with each jurisdiction affected by its services.
Data protection is not the only relevant consideration for services such as those provided by Clearview. For example, most websites contain terms and conditions which explicitly prohibit data scraping. Facial recognition and AI generally have featured heavily in the news in recent years. It is clear that the technology is advancing and will feature prominently in our lives going forward.
Recent trends in the governance of AI have emphasised its ethical use, with transparency and protection of individuals at the core. While the legislative landscape for AI in the UK remains uncertain, it seems likely that these will continue to be key considerations.
Start-ups will need to balance the drive for innovation with legal and ethical standards - or face financial and reputational damage.
Kevin McDade is a senior solicitor at Burness Paull