A US company that gathered photos of people from Facebook and other social media sites for use in facial recognition by its clients is facing a £17m fine after the Information Commissioner’s Office found it had committed “serious breaches” of data protection law.
Clearview AI, which describes itself as the “world’s largest facial network”, allows its customers to compare facial data against a database of over 10bn images harvested from the internet.
The database is “likely to include the data of a substantial number of people from the UK and may have been gathered without people’s knowledge from publicly available information online, including social media platforms”, the ICO said.
Clearview’s technology had been offered on a “free trial basis” to UK law enforcement agencies, the data regulator added.
It said Clearview had broken data protection law by failing to process the information of people in the UK in a way they were likely to expect or that was fair. The company did not have processes in place to stop the data being retained indefinitely, nor did it have a lawful reason to collect the information.
Clearview also allegedly failed to meet the higher data protection standards required for biometric data under general data protection regulations and did not inform people in the UK of what was happening to their data.
The ICO said people who asked for their data to be deleted may have been disincentivised from going through with the request because Clearview asked for additional personal information, including photographs.
Clearview’s free trial for law enforcement bodies has been discontinued and the company’s services are no longer being offered in the UK.
Scrutiny of the company’s activity in the UK follows revelations in 2020 about its work for US law enforcement.
The ICO said it had ordered Clearview to stop further processing of the personal data of people in the UK and to delete it. It also warned the company of its “provisional” intention to impose a £17m fine for the breaches.
Clearview can now make representations to the ICO, which conducted the investigation alongside its Australian counterpart, the OAIC, ahead of a final decision in mid-2022.
The UK’s information commissioner, Elizabeth Denham, said: “I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking.”
Denham added: “Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”
The potential fine for Clearview follows mounting concern in the UK about the growing use of biometric technology, including the use of facial recognition systems to take payment in school canteens.
The Guardian has approached Clearview for comment.