The Intellectual Commissioner’s Office (ICO) has stated it intends to fine US facial recognition company Clearview AI Inc (Clearview) more than £17 million for alleged breaches of data protection law.
Clearview launched its facial recognition app in 2020 with the aim of helping law enforcement agencies identify suspects. Users can upload a photo of an individual and the app will match the photo to others collected from social media pages and the wider internet to help with identification. The app’s database reportedly contains over 10 billion images.
The ICO and the Office of the Australian Information Commissioner conducted a joint investigation into Clearview’s practices and concluded the company is collecting sensitive information about people without their knowledge or consent and is not taking reasonable steps to notify people of the collection of their information. The investigation also found Clearview has not taken reasonable steps to ensure its practices are compliant with Australian and UK privacy principles.
While the app is no longer available in the UK, the ICO believes the company may still be processing information from UK citizens without their knowledge. The ICO has ordered Clearview to cease processing the information of UK citizens and warned the company could be fined more than £17 million. Clearview has the opportunity to make representations to the ICO before a final decision is made. Clearview has stated its technology has been interpreted incorrectly and it intends to appeal to the ICO.
This case highlights the ICO’s commitment to address concerns over the increasing use of biometric technology. It also serves as a reminder for those businesses which collect employee, customer or client information that the law surrounding data protection in the UK was updated in 2018 and it is essential business practices reflect these recent changes.
As a quick reminder, businesses which operate in the UK must:
- have a lawful reason for collecting personal data;
- inform people what is happening to their data;
- process information in a way which UK citizens are likely to find fair or expect;
- not retain personal data indefinitely; and
- take care to meet the higher standards surrounding the collection of biometric data.
At Hamlins, we have the expertise to advise on GDPR compliance and data collection practices. If your business collects personal information and you would like a conversation about ensuring your practices comply with the latest UK data rules, or you are concerned your personal information is being used without your consent, get in touch.