The UK Information Commissioner’s Office (ICO) has fined Clearview AI Inc. $8 million for violating the data privacy of UK residents.

The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet and to delete the data of UK residents from its systems.

According to the ICO, Clearview AI collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms worldwide to create an online database for facial recognition. The company collected highly sensitive biometric information without the knowledge or consent of individuals. 

Clearview AI’s technology allowed law enforcement and commercial organizations to match photographs of unknown people against the company’s databank of more than 3 billion images for investigation purposes. 

“Given the high number of UK internet and social media users, Clearview AI Inc’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge,” says the ICO. Although Clearview AI Inc no longer offers its services to UK organizations, the company has customers in other countries, so the company is still using the personal data of UK residents.

Specifically, the ICO found that Clearview AI breached UK data protection laws by:

• failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
• failing to have a lawful reason for collecting people’s information;
• failing to have a process in place to stop the data from being retained indefinitely;
• failing to meet the higher data protection standards required for biometric data (categorized as ‘special category data’ under the GDPR and UK GDPR);
• asking for additional personal information, including photos, when members of the public ask if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

UK Information Commissioner John Edwards said, “The company not only enables identification of those people, but effectively monitors their [behavior] and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

Edwards called for international enforcement to help take action and protect people from intrusive activities. “This international cooperation is essential to protect people’s privacy rights in 2022,” he added, noting he would be meeting with regulators in other countries to tackle global privacy concerns. 

In March, Italy's data protection regulator, the Garante, fined the facial recognition company +$20 million for violating the GDPR and ordered Clearview AI to delete all data collected on individuals in Italy and prohibited to continue collection and processing activities in the country. Earlier this month, Clearview AI agreed to settle a 2020 lawsuit from the American Civil Liberties Union, which accused the company of violating Illinois's Biometric Information Privacy Act (BIPA), and banned Clearview AI from selling its facial recognition software to most U.S. companies.  And, France, Canada and Australia have sanctioned the company.

Chris Olson, CEO of The Media Trust, says the ICO’s action against Clearview AI demonstrates that emerging data privacy legislation has “teeth, and businesses around the world need to take it seriously.” 

Olson says a majority of organizations with online domains or digital apps violate the guidelines outlined in General Data Protection Regulation (GDPR), whether they realize it or not. “Developers frequently collect and handle user data in irresponsible ways and without proper disclosure — moreover, they share that data with unknown third parties, who may then share it with fourth and fifth parties. For businesses that don’t commit to digital safety and trust, it’s only a matter of time before they will suffer from data breaches and expensive fines.”