Embattled facial recognition firm Clearview AI faces fresh legal trouble in the United Kingdom, where it may soon be fined for violation of the country’s data protection laws.
The relatively small proposed fine is already drawing criticism from some privacy advocates, but the proposal would also effectively ban the company from the country and force it to delete any biometric data it has collected.
Clearview AI Continues to Rack Up Penalties for Scraping of Social Media Pictures
The Information Commissioner’s Office (ICO), the UK’s lead data protection authority, has announced provisional intent of a fine of “just over £17 million” for Clearview AI. While privacy advocates point out that the fine amount seems small compared to the scope of personal information that the firm scraped from social media accounts (and the maximums allowed by data protection laws), it will likely be a substantial blow to a company that was recently valued at just $130 million and struggled to raise $30 million from investors during its recent legal and PR troubles.
Perhaps bigger news is that the announcement is accompanied by a provisional notice to Clearview AI to stop processing the personal data of UK citizens and to delete all that has been collected thus far. The UK would follow Australia in this, which it worked with on a joint investigation into the firm’s practices and violations of data protection laws.
ICO says that the biometric information of a “substantial number” of UK citizens was swept up by Clearview AI, and that “a number” of UK law enforcement agencies made use of a trial period in which this information may have been accessed. The firm failed to comply with UK data protection laws in a number of ways: unfair or unexpected processing of personally identifiable information, not having a lawful reason to collect the information, not having a process in place to stop data from being retained indefinitely, failure to inform data subjects, requesting additional personal information (photos) as a condition of opting out, and failing to meet the higher standards for “special category data.”
These provisions are not binding as of yet. Clearview AI is being offered a chance to respond to the allegations, and ICO expects to review the matter until mid-2022. The final decision could result in reduced fine amounts or even no formal action. The firm has already withdrawn its services from the country as the matter plays out, however.
Data protection laws standardized under GDPR, but penalties vary throughout Europe
While Clearview AI keeps tripping over data protection laws throughout the world, the consequences seem to vary greatly depending on where they are. The firm was essentially driven out of Canada, but still finds a home in the United States; at least, outside of the state of Illinois (where it violated local biometric data protection laws), New York (where a two-year moratorium on law enforcement use of facial recognition was passed recently) and a number of different cities.
Data protection laws should be more standardized in Europe given the General Data Protection Regulation (GDPR), even in the post-Brexit UK where the present laws are still largely the same. But though the laws might be more uniform, the penalties are not. Sweden opted for a fine of just €250,000 for Clearview AI in its own proceedings earlier this year, and much of the region has yet to weigh in.
The company is facing GDPR complaints in multiple countries, but the issue is complicated by the fact that Clearview AI has not established an EU headquarters and has been secretive about its client list. Much of the information about its business has come via leaks.
Throughout all of the troubles of the past two years, Clearview AI has maintained that it is innocent and has a right to gather up “publicly posted” pictures on social media sites (in spite of nearly every major platform disagreeing with this stance and forbidding the company from using their APIs for scraping). CEO Hoan Ton-That made a special appeal to the UK in a response to ICO’s proposals, saying that the technology has been “misinterpreted” and suggesting that it should be used for investigations into the sexual abuse of children in the country.
The UK’s separation from EU data protection laws is relatively new, having begun at the start of 2021. The country opted to reserve the right to fine up to 4% of a company’s annual global turnover for violations, but (as with the EU) nothing has yet to come close to that amount. Its largest fine to date came in 2020 and was issued to British Airways, a penalty of £20 million. It also fined hotel chain Marriott £18.4 million around the same time.
Ilia Kolochenko, Founder of ImmuniWeb, notes that there has been a tendency thus far for punishments to not fit the scope of the crimes: “Clearview AI has allegedly collected and processed over 10 billion individual photos without notice, let alone valid consent. The personal life and privacy of many UK and EU residents are jeopardized for commercial gain stemming from the unlawful processing of personal data. Furthermore, under GDPR, the highest penalty threshold for a data breach is 2% of infringer’s annual turnover, and 4% for violations like unlawful processing of personal data, making this specific decision of ICO incomprehensible for me. In some notorious cases, like BA, the fine was eventually reduced from hundreds of millions to a significantly smaller amount, however, for different reasons unrelated to the gravity of the violation … Different reports show that there is no consistency between GDPR fines and enforcement priorities among European DPAs, while this decision also demonstrates that even one DPA, like ICO, may have broadly varying decisions that make GDPR enforcement unpredictable. The European Data Protection Board should probably bring more clarity and uniformity to the context by issuing additional guidelines on fines.”