Controversial facial recognition company Clearview AI is facing a potential fine in the UK.
It has also been handed a provisional notice to stop further processing of UK citizens' data and to delete any data it already holds as a result of what the Information Commissioner's Office (ICO) described as "alleged serious breaches" of national data protection law.
The ICO has been looking into the tech company -- which sells AI-powered identity matching to law enforcement and other paying customers via a facial recognition platform that it trained covertly on photos harvested from Internet sources (like social media platforms) -- in a joint investigation with the Australian Information Commissioner (OAIC).
The OAIC already, earlier this month, issued an order to Clearview to delete data after finding it broke national laws down under. So the ICO has been the laggard of the two regulators.
But today it issued the notification of a provisional intention to fine Clearview over £17 million (~$22.6M) -- citing a range of suspected breaches.
Among the raft of violations the ICO suspects -- following what it describes as "preliminary enquiries with Clearview AI" -- are failures to process people's information fairly or in a way they expect, in line with requirements to have a valid legal basis for processing personal data and to provide adequate information to those whose data is processed; along with a failure to have a process in place to prevent data being retained indefinitely; a failure to meet higher standards required for processing biometric data -- which is considered special category data under the European standard (the GDPR) that's transposed into UK law; and also for applying problematic processes when people object to its processing of their information -- such as asking for more personal data ("including photographs") in response to such objections.
Clearview was contacted for comment on the ICO's provisional findings.
A spokesperson sent this statement (below), attributed to its London based attorney, Kelly Hagedorn -- who describes the ICO's provisional finding as "factually and legally incorrect"; says Clearview is considering an appeal and "further action"; and claims the company does not do business in the UK (nor have any UK customers currently).
Here's Clearview's statement in full:
Whether the ICO's preliminary sanction will go the distance and turn into an actual fine and data processing cessation order against Clearview remains to be seen.
For one thing, the ICO's notification is timed a few weeks ahead of the departure of sitting commissioner, Elizabeth Denham, who is set to be replaced by New Zealand's privacy commissioner John Edwards in January.
So a new broom will be in charge of deciding whether the provisional findings hold up in the face of Clearview's objections (and potential legal action).
In its statement today, the ICO is careful to note that Clearview will have the opportunity to make representations -- which it says it will consider before any final decision is reached, and which it furthermore suggests may not happen until mid-2022.
Under Denham, it's also notable that the ICO has substantially shrunk a number of provisional penalties it handed out in relation to other breach investigations (such as those to British Airways; and Marriott).
The ICO also settled with Facebook over the Cambridge Analytica scandal after the tech giant appealed its provisional sanction.
And while Facebook agreed to pay the ICO's £500k fine in full in that case it did so without admitting any liability and also got the ICO to agree to sign a non-disclosure agreement over the arrangement (which has limited what the commissioner can say in public about its correspondence with Facebook). So, in all, that ended up looking like a sweet deal for Facebook -- agreed to by a regulator apparently concerned at being challenged in the courts over its decision-making processes.
There is fresh complexity on the horizon around enforcement of the UK's data protection regime too, now -- in that the government is in the process of consulting on making changes to national law that could see ministers reduce protections wrapping people's data -- such as by removing or altering requirements around transparency, fairness and what constitutes a valid legal basis for processing people's data -- as part of a claimed 'simplification' of the current laws.
So the ICO's caveat on its provisional "view to fine" Clearview -- which it specifies may be "subject to change or no further formal action" -- looks like more than just a reminder to recall its own recent history of enforcements not standing up to its earlier convictions.
Why is it acting at all now if there's a risk of ministers moving the goalposts? Denham may have an eye on amplifying her legacy as she departs for pastures new. Or she may hope to try and bind the hands of her successor -- and limit the reformist zeal of DCMS to downgrade UK data protection -- or, indeed, a little of all of the above.
In a statement, the outgoing commissioner said: "I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we're taking. UK data protection legislation does not stop the effective use of technology to fight crime but to enjoy public trust and confidence in their products technology providers must ensure people's legal protections are respected and complied with."
"Clearview AI Inc's services are no longer being offered in the UK. However, the evidence we've gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people's information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously," she added.
On the investigation findings itself, the regulator's press release on its provisional view and potential fine offers only tentative conclusions, with the ICO writing that: "The images in Clearview AI Inc's database are likely to include the data of a substantial number of people from the UK and may have been gathered without people's knowledge from publicly available information online, including social media platforms."
It adds that it "understands that the service provided by Clearview AI Inc was used on a free trial basis by a number of UK law enforcement agencies", and further specifying that this trial "was discontinued and Clearview AI Inc's services are no longer being offered in the UK" -- without offering any details on when the tech was being used and when usage stopped.
Clearview has faced regulatory pushback elsewhere around the world too.
Earlier this year Canada's privacy watchdog concluded its own investigation of the AI firm -- finding multiple breaches of national law and also ordering it to cease processing citizens' data.
Clearview rejected the findings -- but also said it no longer offered the service to Canadian law enforcement.