The ICO made headlines this week when it announced its third largest GDPR-era fine to date, over £7.55m, against the controversial facial-recognition database provider Clearview AI Inc (Clearview). It has also issued an enforcement notice against the company ordering Clearview to stop obtaining and using the personal data of UK residents and to delete the data of UK residents from its systems. While the ICO’s full decision has not yet been made public there are some interesting insights from the regulator’s initial announcement:
1. The final penalty amount has been reduced significantly from the amount the ICO intended to fine (again)
The final £7.55m fine against the tech firm follows the ICO’s announcement last November of its provisional view to fine Clearview over £17m (which we discussed in our December post). Although the Clearview fine reduction is well over 50% of the ICO’s provisional figure, it amounts to a less significant reduction than that in the ICO’s BA and Marriott actions. While we wait for clarification from the ICO as to the precise reason for the reduction, it is anticipated that representations from Clearview will have played a part.
2. The ICO enforced against Clearview for a broad range of GDPR compliance failings
While we are accustomed to the ICO bringing actions for security breaches, this fine focuses on more extensive UK GDPR failings, reminiscent of the ICO’s wide ranging pre-GDPR action against Equifax. Failings cited by the ICO’s statement include Clearview having a lack of appropriate legal bases for processing and failing to process data fairly and transparently. The ICO also highlighted Clearview’s data retention practices as breaching the UK GDPR (as the company failed to have a process in place to stop the data being retained indefinitely) and found Clearview in contravention of the special category data rules in relation to its processing of biometric data. It also referenced data subjects’ rights failings, in relation to Clearview’s process of requesting a photo when an individual enquired if they were on their database. This action provides a reminder to all organisations that the ICO can and will examine granular UK GDPR compliance, particularly when it has cause to ‘open the bonnet’.
3. The ICO is focused on international cooperation
In his statement accompanying the announcement of the Clearview fine the Information Commissioner, John Edwards, emphasised that the ICO worked with the Australian privacy regulator to bring the action against Clearview (the ICO had previously announced that it was carrying out a joint investigation with the Australian Information Commissioner) and set out his vision that “international cooperation is essential to protect people’s privacy rights”. His statement also highlighted the ICO’s work with its European counterparts, with the Commissioner noting that he has a meeting with European regulators next week to facilitate collaboration on tackling global privacy harms. This meeting could be well timed given the Government’s response to the DCMS’ data protection reform consultation is expected imminently which may signal a move towards greater divergence between the UK and EU GDPR regimes.
4. This action may give us greater insight on the ICO’s interpretation of the extraterritorial scope of the UK GDPR
The ICO statement makes it clear that this was an international enforcement action against a global company, Clearview AI Inc. While we do not yet have any clarity on the approach the ICO has taken, the ICO statement references that Clearview is “no longer offering its services to UK organisations” and that it “effectively monitors… behaviour” of people in the UK. This suggests that this may be an enforcement action brought by the ICO on the basis of the extraterritorial reach of the UK GDPR. As such, we hope the ICO may offer guidance on this challenging area in its decision against Clearview, particularly as there is currently little direction from the regulator on these points.