American facial recognition company Clearview AI faces a fine of just over £17m ($22.6m) for alleged “serious breaches” of the UK’s data protection laws.
The UK’s Information Commissioner’s Office (ICO) announced the planned penalty yesterday and issued a provisional notice to Clearview to stop processing personal data taken from UK residents and to delete any such data in its possession.
The announcement follows a joint investigation by the ICO and the Office of the Australian Information Commissioner (OAIC), which found Clearview AI in breach of Australian privacy laws.
Clearview claims to have the largest known database of facial images, with more than 10 billion images sourced from public-only web sources, including news media, mugshot websites, public social media, and other open sources.
The company pitches its web-based intelligence platform, powered by facial recognition technology, as a tool that helps law enforcement “generate high-quality investigative leads.”
Users can upload an image of a suspect’s face and search for matching images that appear online.
“The images in Clearview AI Inc’s database are likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms,” stated the ICO.
In its preliminary findings, the ICO accuses Clearview of multiple failures to comply with UK data protection laws. The company’s alleged crimes include failing to process the information of people in the UK in a way they are likely to expect or that is fair; failing to have a process in place to stop the data being retained indefinitely; and failing to have a lawful reason for collecting the information.
Clearview’s service was used on a free-trial basis by several UK law enforcement agencies, but it is no longer offered in the country.
“UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with,” said the UK’s information commissioner Elizabeth Denham.
Clearview dismissed the ICO’s allegations as “factually and legally incorrect.”