Facial Recognition and Sensitive Data Scraping under Significant Enforcement Actions in the UK and Australia
19 December 2021
The UK Information Commissioner’s Office (“ICO“), has recently announced a provisional intent to fine Clearview AI Inc. (“Clearview“) over £17 million (approximately $22.6 million), over several alleged data protection violations in breach of the UK’s privacy laws. In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following these allegations.
According to the investigation’s background, Clearview’s facial recognition services allows customers to upload an image of an individual’s face and match it to photos of that person’s face collected from the internet, including information regarding its source. Clearview’s system is reported to include a database of more than 10 billion images that the company claims to have taken or ‘scraped’ from various online sources, including social media platforms. Customers of Clearview can also provide an image to the company to carry out biometric searches, including facial recognition searches, to identify relevant facial image results against the abovementioned database.
According to the ICO’s announcement, Clearview’s alleged violations of data protection laws included the following:
- Unfair processing of personal data – Clearview has failed to process the personal data of UK data subjects in a way they are likely to expect or that is fair;
- Data retention – Clearview retained the data indefinitely and did not have a procedure in place to avoid such retention;
- Lack of lawful grounds – Clearview has failed to present a lawful reason for the collecting and processing of the personal data;
- Special category of data – Clearview collects and processes biometric data, which is considered a ‘special category’ of personal data per the European General Data Protection Regulation (“GDPR“) and the UK GDPR. Such categories of data require higher data protection standards, which Clearview has failed to meet;
- Inadequate notice: Clearview has failed to inform UK data subjects about what is happening to their data as part of the company’s collection and processing activities; and
- Limiting exercise of data subjects’ rights: Clearview has required data subjects who wished to exercise their rights to provide it with additional personal data, including photos. According to the ICO, this practice may have had a disincentive effect on data subjects who wished to object the processing of their personal data.
In its separate announcement, the OAIC has indicated additional actions in breach of the Australian Privacy Act, such as inaccuracy of the data processed.
Clearview’s practices have also been challenged by additional regulators across various jurisdictions. In the UK, Clearview is provided with the opportunity to make representations with regard to the alleged violations, as presented in the ICO’s announcement. A final decision by the ICO is expected the middle of 2022.
These recent enforcement actions highlight the increased scrutiny over adequate and compliant collection and processing of personal data, especially when the processing of individuals’ facial photos – whether provided by the data subject or scraped from public sources – is involved. Please feel free to contact us if you have any questions regarding the practical implications and the influence of these enforcement actions on your company’s activities.
Please feel free to contact us if you have any question.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation