The UK’s data protection watchdog has won its appeal against a controversial facial recognition technology firm, making a £7.5m fine more likely.
The Information Commissioner’s Office (ICO) issued the penalty in May 2022, after it found Manhattan-headquartered Clearview AI guilty of breaching the UK GDPR.
It said the firm had illegally scraped the images of UK residents from websites and social media pages and uploaded them to a global database that could be used by Clearview customers for facial recognition. None of the data subjects had given their consent for their images to be used in this way.
Clearview AI had successfully appealed the fine and enforcement notice with the First-Tier Tribunal (FTT). However, the ICO was recently successful in counter-appealing at the Upper Tribunal (UT).
Read more on ICO fines: ICO Collects Just 26% of Value of Fines Since 2020
The UT upheld three of the regulator’s four grounds of appeal. It found that:
- Clearview’s processing of personal information is related to monitoring the behavior of UK residents
- Clearview’s processing does not fall outside the reach of UK data protection law just because it provided its services to foreign law enforcement and government agencies
- The FTT applied the law incorrectly in finding that Clearview’s processing of personal information was outside the material scope of the UK GDPR under Article 2(2)a
Information commissioner, John Edwards, welcomed the decision as providing much needed clarity on the scope of the UK GDPR. No matter where companies are based in the world, if they want to monitor the behavior of UK residents, they will be in scope of UK data protection law, he confirmed.
“The UT’s decision has upheld our ability to protect UK residents from having their data, including images, unlawfully scraped and then used in a global online database without their knowledge,” Edwards added.
“The ruling also gives greater confidence to people in the UK that we can and will act on their behalf, regardless of where the company handling their personal information is based. It is essential that foreign organizations are held accountable when their technologies impact the information rights and freedoms of individuals in the UK.”
The decision is legally binding, although Clearview AI can appeal. The UT has now directed the FTT to consider the appeal again now that it is confirmed the ICO did have jurisdiction to issue the fine.
The case highlights the difficulty data protection regulators have in collecting fines from deep-pocketed technology firms which they believe have broken the law.
The ICO initially issued a £17m fine but more than halved it after representations from the company.
Australia’s privacy watchdog last year called off its investigation into Clearview AI, despite no evidence that the company had complied with an order compelling it to delete the images of Australians in its database.
Image credit: Mehaniq / Shutterstock.com
