Victory! The ICO provisionally issues £17 million fine against facial recognition company Clearview AI

In what could be seen as one of the strongest sanctions against the company in Europe, the Information Commissioner’s Office (ICO), which is tasked with enforcing data protection legislation in the UK, has today announced its provisional intent to issue a potential fine of £17 million against the controversial facial recognition company Clearview AI.

Clearview AI, which only received worldwide attention following a New York Times report back in January 2020, is a company whose business model relies on scraping billions of publicly available images from the web. These images are then stored indefinitely in a database and the facial features of the people depicted in them are extracted and hashed. Clearview AI then sells access to the database to its clients, who have reportedly ranged from private companies or employers to law enforcement authorities and police across the world, and who are able to use the software to identify faces. Due to their extremely intrusive nature, facial recognition systems, and particularly any business model that seeks to rely on them, raises serious concerns for modern societies and individuals’ freedoms.

In light of the global scrutiny that Clearview AI came under, several regulators commenced enforcement actions globally, including a joint investigation by the ICO and its Australian counterpart, with the latter releasing its determinationon 3 November 2021, finding that Clearview AI breached Australian privacy laws.

In its announcement, the ICO finds that Clearview AI appears to have failed to comply with UK data protection laws in several ways. It has issued a provisional notice to the company to stop further processing of the personal data of people in the UK and to delete it.

PI welcomes the ICO’s provisional findings which largely reflect the arguments put forward in the submissions we made before it in May 2021. In May 2021, similar complaints and submissions, together with 3 other organisations, were lodged with the French, Italian, Greek and Austrian data protection regulators.

“It is finally time for companies like Clearview AI to face the music”, said Ioannis Kouvakas, PI’s Acting General Counsel. “Today’s announcement is not only an affirmation of our data protection rights as Internet users, but also a clear message to companies whose toxic business model relies on the exploitation of the moments we and our loved ones post online”.

“Clearview AI’s business enables unprecedented surveillance of our online and offline lives”, said Lucie Audibert, Legal Officer at PI. “We have laws against this kind of interference with our fundamental rights, and regulators are finally starting to right these wrongs. To investors who recently committed $30 million of funding to Clearview’s perilous business, this decision should be a wake-up call.”

The company now has the opportunity to make representations with regard to the alleged breaches.