US facial recognition firm Clearview AI wins GDPR appeal in UK


Clearview AI, a controversial US facial recognition company, has won a court case against the United KIngdom’s privacy watchdog and overturned a massive fine imposed on the firm.

The company had been accused by the UK’s Information Commissioner’s Office (ICO) of alleged infractions related to the country’s general data protection regulation (GDPR). Originally, Clearview AI was fined £7.5m (nearly $10m) for breaches of the regulation in May 2022.

The fine to Clearview AI, which is (in)famous for using scraped personal data to sell an identity-matching service to law enforcement and national security bodies, will now be rescinded unless the ICO further appeals the ruling.

ADVERTISEMENT

Bad news for your privacy

The latter states: “Whether or not Clearview has infringed the Articles of GDPR or UK GDPR as alleged or at all was not the issue before us. That would be the subject of any substantive hearing were this case to go forward.”

What this means is that the UK court tribunal considers the company’s activities to fall outside of UK’s data protection law because there’s an exemption related to foreign law enforcement.

The court document further says of Clearview AI: “It is a foreign company providing its service to ‘foreign clients, using foreign IP addresses, and in support of the public interest national security and criminal law enforcement functions’, such functions being targeted at behavior within their jurisdiction and outside of the UK.”

That’s obviously bad news for UK citizens whose images are certainly circulating in Clearview AI’s system. John Edwards, UK Information Commissioner, said in 2022: “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images.”

“The company not only enables identification of those people, but effectively monitors their behavior and offers it as a commercial service. That is unacceptable,” said Edwards.

But the court believed the company’s claim that it only had customers in the United States and said it could not act extraterritorially.

ADVERTISEMENT

However, in Sweden, the local police authority was fined more than $300,000 for its illegal use of Clearview AI products in 2021.

That same year, an investigation by BuzzFeed News revealed that 88 law enforcement agencies in 24 countries, including Canada, Australia, Brazil, and various EU member states, have at least tried to use Clearview AI software as of 2020.

Clearview AI is still facing lawsuits in Europe, with fines being levied in France, Italy, and Greece. So far, the firm has managed to avoid paying any fines in the EU.

Nevertheless, even if the EU’s data protection framework currently makes it very difficult for firms like Clearview AI to sell their facial recognition technology in the bloc, the UK’s GDPR is distinct law since finalizing Brexit in December 2020.

In essence, it seems that the appeal’s approval sets a legal precedent – the UK court system’s stance on enforcing GDPR has been relegated to only those companies firmly within the UK’s purview.

The New York Times journalist Kashmir Hill has recently published a book (reviewed by Cybernews here), telling the story of Clearview AI’s rise – and the fall – of its reputation among privacy-minded activists in the US and elsewhere.

Even though the settlement between Clearview AI and the American Civil Liberties Union in 2022 banned the firm from providing the so-called faceprints to corporate clients, the company actually expanded the sales of its software, moving on from mainly serving the police to attracting private companies.

Vaale, a Colombian app-based lending start-up, has adopted Clearview AI to match selfies to user-uploaded ID photos, and another firm selling visitor management systems to schools has signed up, too.

ADVERTISEMENT