Series
Blogs
UK – Empty threats? What next for the £7.5m Clearview AI fine?
UK – Empty threats? What next for the £7.5m Clearview AI fine?
27 May 2022
Series
Blogs
27 May 2022
The UK Information Commissioner has fined Clearview AI £7.5m and ordered it to stop processing data about UK residents. This raises important questions about both the theoretical jurisdiction of the UK GDPR and the practical limits on extra-territorial enforcement. We consider what might happen next.
Clearview AI operates a facial recognition tool. A customer can submit an image that Clearview AI then turns into a set of facial vectors. Those facial vectors are then used to search Clearview AI’s database, which is said to extend to some 20 billion images scraped from the public internet.
The tool returns potential matches alongside with metadata and URLs associated with the original image. The intention is that this additional information can then be used to identify the individual in the image.
The primary purpose appears to be law enforcement. In the UK, at least five law enforcement authorities carried out a trial of the system and conducted 721 searches on the system in order to try and identify the individuals.
However, this technology is apparently used for other purposes. For example, Clearview AI has offered its services to the Government of Ukraine in connection with the Russian invasion to identify combatants and the deceased on both sides of the conflict.
Clearview AI does not have any presence in the UK and, save for the trial described above, does not offer its services to customers in the UK.
This means that the only basis upon which it could be subject to the UK GDPR/GDPR as a result of monitoring the behaviour of individuals in the UK (Art 3(2)(b)). The Information Commissioner concluded that Clearview AI was caught on this basis. The primary reason for this is that:
Perhaps recognising this is not a conventional interpretation of the monitoring test, the Information Commissioner notes that any other construction would mean data-scraping companies outside the UK would escape the UK GDPR/GDPR; “such a construction is inconsistent with the purposes of the GDPR and UK GDPR, in particular their purpose of providing a high degree of protection to data subjects”.
The conclusions on breach were more robust. Clearview AI did not even try to argue it complied with the UK GDPR/GDPR. The Information Commissioner suggests this is because it “would be hopeless” to do so, finding breaches of:
Given the primary purpose of the Clearview AI database is the prevention and detection of crime, it is interesting that Clearview AI did not event attempt to counter these findings. For example, this could potentially provide a legal basis, a justification for processing special category data and an exemption from a number of data subjects rights.
However, Clearview AI may well have considered it was still hopeless to argue it complied with the UK GDPR/GDPR given the totality of the infringements and the fact that their service was being used for other purposes (such as in the Ukrainian war).
Based on the statutory factors in Article 83(2), the Information Commissioner issued a Monetary Penalty Notice fining Clearview AI £7,552,800.
This is surprisingly low. Given the significant breaches described above and the very large-scale processing of data about UK residents, this processing seems to warrant a larger fine. Indeed, the Information Commissioner originally proposed a fine £17.5m. No reason is given for the significant discount made to the final fine issued to Clearview AI.
The Information Commissioner also issued an Enforcement Notice ordering Clearview AI to stop scraping data about UK residents and to delete any information about UK residents from its database. Literal compliance with this Enforcement Notice is technically impossible – how do you know if someone is a UK resident or not? However, in US proceedings (Mutnick v Clearview AI) Clearview AI has already committed to:
The Information Commissioner considers that adopting comparable steps in relation to UK residents would be sufficient for “practical compliance” with the Enforcement Notice.
It is not clear how Clearview AI will respond. The early signs are not promising and suggest that it disputes the Information Commissioner’s jurisdiction and so will just ignore the Monetary Penalty Notice or the Enforcement Notice.
All should become clear by 17 June. If Clearview have neither paid the fine nor lodged an appeal by that date, the next step for the Information Commissioner would be to get an order from the High Court for payment of the fine. Failure to comply with that order is then contempt of court, but given Clearview AI has no presence in the UK, even that might not be sufficient to ensure compliance.
Perhaps signalling an awareness of this risk and a shift towards a more pragmatic approach to enforcement, during an interview with “Politico”, John Edwards (the Information Commissioner) said he offered to waive Clearview AI’s fine completely if they agreed to delete data and not offer services in the UK. However, Clearview AI declined.
A copy of the Monetary Penalty Notice and Enforcement Notice are here.