Data Breaches | Clearview AI Inc v The Information Commissioner
In an article posted to this website entitled The Information Commissioner’s Office | Investigations into Data Breaches’ we explained the nature of The UK Information Commissioner’s Office (the ‘ICO’) and its activities.
The Case of Clearview AI Incorporated v The Information Commissioner [2023] UKFTT 819 (GRC) recently concluded when the First-tier Tribunal overturned a very substantial fine imposed by the ICO.
Clearview AI Inc v The ICO
Background
Clearview is a provider of facial recognition software and, inter alia, collects images which it scrapes from the worldwide internet, social media and news sites.
The images are stored for usage by government and law enforcement agencies abroad, including the United States.
The company’s database stores billions of images which can be linked to matching online images.
In 2020, Clearview settled a case brought by US civil liberties campaigners in relation to private data breaches in the US involving many nationalities including those from the UK and Australia.
The ICO and its Australian counterpart launched a joint operation into suspected data breaches by Clearview.
ICO Findings
The ICO determined that Clearview had failed to comply with UK data protection laws.
In particular, the ICO highlighted that Clearview had failed to:
- use the information of people in the UK in a way that is fair and transparent,
- have a lawful reason for collecting people’s information,
- have a process in place to stop the data being retained indefinitely,
- meet the higher data protection standards required for biometric data. (classed as ‘special category data’ under the EU GDPR and UK GDPR).
ICO Enforcement
As a result of these breaches, on 18 May 2022, the ICO:
- fined Clearview £7,552.800 although it had indicated in 2021 that it would impose fines in excess of £17 million.
- issued an Enforcement Notice ordering it to stop collecting and using the personal data of UK residents which is publicly available on the internet and to delete such data from its systems.
Appeal to First-tier Tribunal
The First-tier Tribunal (Information Rights) (FTT) heard the appeal.
At the Hearing in November 2022, Clearview maintained, inter alia that:
- it had not breached General Data Protection Regulation 2016 (‘GDPR’)
as it was a foreign company, registered outside of the UK/EU, and fell outside the scope of such Regulations,
- as a US firm, its clients are foreign governments and contractors, and without a clear establishment within the UK or EU, its services fell outside the scope of GDPR.
- its processing of personal data did not involve monitoring behaviour, but rather just the searching of facial images on their online platform.
In response, the ICO relied on Article 3(2)(b) of GDPR which provides it has international scope when a company outside the UK engages in processing related to the monitoring of the behaviour of data subjects in the UK.
On 17 October 2023, the First-tier Tribunal allowed the appeal by Clearview and overturned ICO Enforcement Notices saying that it did not have jurisdiction to issue them accepting that:
- although the processing involved at Clearview constituted monitoring of individuals in the UK for GDPR purposes, the processing was outside of the scope of the GDPR,
- it was accepted that Clearview’s services were only provided to non-UK/EU law enforcement or national security bodies and their contractors and therefore the activities of foreign governments and their agencies fell outside the scope of GDPR.
How Can We Assist?
The Team at KANGS provides many years experience of defending and advising on alleged breaches of Regulations of every description, both civil and criminal, throughout the whole process.
Our Team is always seeking to place each client’s interests at the forefront in order to ensure the best available outcome.
Should you become subject to an ICO investigation or any other type of Regulatory investigation, including those which involve any alleged criminal conduct, please do not hesitate to contact us.
If we can be of assistance, please do not hesitate to contact to contact our Team through any of the following channels and we would be delighted to help:
Telephone: 0333 370 4333
Email: info@kangssolicitors.co.uk
We provide initial no obligation discussion at our three offices in London, Birmingham and Manchester.
Alternatively, discussions can be held virtually through live conferencing or telephone.
