Controversial facial recognition company Clearview AI has been ordered to delete all data belonging to UK residents by the country’s privacy watchdog, the Information Commissioner’s Office (ICO). The ICO also fined Clearview £7.5 million ($9.4 million) for failing to follow the UK’s data protection laws.
Clearview claims to have scraped 20 billion images from sources like Facebook and Instagram
Clearview claims its facial recognition database contains some 20 billion images scraped from public sources like Facebook and Instagram. It previously sold its software to an array of private users and businesses, but recently agreed to restrict itself in the US to selling to federal agencies and police departments following a lawsuit brought by the American Civil Liberties Union (ACLU).
In the UK, Clearview AI’s services have been used in the past by law enforcement customers including the Metropolitan Police, Ministry of Defence, and National Crime Agency. ICO says the company “no longer offers its services to UK organisations,” but notes that the data it has scraped from UK residents can still be used by customers in other countries.
In a press statement, the UK’s Information Commissioner John Edwards said Clearview had likely collected a great deal of information on UK residents. “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable,” said Edwards. “That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”
The ICO said Clearview violated several tenets of UK data protection law, including failing to use data in a way that is “fair and transparent” (given that residents’ images were scraped without their knowledge or consent), “failing to have a lawful reason for collecting people’s information,” and “failing to have a process in place to stop the data being retained indefinitely.”
However, although ICO has issued a fine against Clearview and ordered the company to delete UK data, it’s unclear how this might be enforced if Clearview has no business or customers in the country to sanction. In response to a similar deletion order and fine issued in Italy under EU law earlier this year, Clearview’s CEO Hoan Ton-That responded that the US-based company was simply not subject to EU legislation.
When questioned on this matter, the ICO told The Verge that if the company fails to comply, it can issue further fines. (Though if Clearview ignores the first, it’s unclear what more will do.)
In response to the same query, Lee Wolosky of Jenner and Block, Clearview’s legal representatives, told The Verge: “While we appreciate the ICO’s desire to reduce their monetary penalty on Clearview AI, we nevertheless stand by our position that the decision to impose any fine is incorrect as a matter of law. Clearview AI is not subject to the ICO’s jurisdiction, and Clearview AI does no business in the U.K. at this time.”
The ICO added that Clearview has 28 days to appeal the ruling, and then 6 months to comply with it. When asked how the company will be expected to distinguish between data belonging to UK residents and other individuals, the watchdog said: “This is a question for Clearview to answer.” The regulator added that its investigations team “will maintain contact with Clearview to make sure appropriate measures are taken.”
Update, May 23rd, 09:57AM ET: The story has been updated with additional comment from the ICO and Clearview’s legal representation.