Clearview AI's Selfie-Scraper Wins Appeal Against UK Privacy Sanction: What This Means for Data Protection

Clearview AI Wins Appeal Against UK Privacy Sanction

Controversial U.S. facial recognition company Clearview AI has successfully appealed a privacy sanction imposed by the United Kingdom last year. In May 2022, the Information Commissioner’s Office (ICO) issued an enforcement notice against Clearview, which included a fine of approximately £7.5 million (~$10 million). The ICO determined that the self-scraping AI firm had violated local privacy laws multiple times. Additionally, the ICO ordered Clearview to erase information it had collected on U.K. citizens, which is used to provide identity-matching services to law enforcement and national security agencies.

Following this enforcement action, Clearview launched an appeal. In a ruling delivered yesterday, the tribunal sided with Clearview, stating that the company's activities fall outside U.K. data protection law due to a specific exemption pertaining to foreign law enforcement. While the tribunal acknowledged the ICO’s stance that Clearview’s data processing related to the monitoring of individuals by its clients, it found the ICO's arguments regarding legal jurisdiction were flawed.

The U.K. General Data Protection Regulation (GDPR) clarifies that the processing of personal data by competent authorities for law enforcement purposes is exempt from its regulation, being governed instead by Part 3 of the Data Protection Act 2018. Clearview argued that it solely serves "foreign clients, using foreign IP addresses, in support of public interest activities of foreign governments and agencies, particularly concerning national security and criminal law enforcement."

The tribunal accepted Clearview’s assertion that it only provides services to non-U.K./EU law enforcement and national security bodies along with their contractors. This decision overturned the ICO’s previous enforcement ruling, which identified multiple breaches of U.K. GDPR.

In response to this ruling, an ICO spokesperson stated: "The ICO will review today’s judgment and consider next steps. Importantly, this judgment does not undermine the ICO’s authority to act against international companies processing U.K. citizens' data, particularly those scraping personal information."

The ICO has not indicated whether it will appeal the tribunal’s decision, but it has a 28-day window to make that determination.

One lingering question is why the ICO opted to challenge Clearview under the U.K. GDPR rather than the Data Protection Act 2018 (DPA 2018). The ICO has chosen not to comment on this matter. In the meantime, Clearview welcomed the tribunal's ruling. "We are pleased with the tribunal’s decision to negate the U.K. ICO’s unlawful order against Clearview AI,” said General Counsel Jack Mulcaire in a brief response.

The U.K. sanction is one of several penalties imposed on Clearview by regulatory bodies in recent years. Data protection authorities in France, Italy, and Greece have also found Clearview in violation of the EU’s GDPR, which provides the framework for the U.K.’s domestic data protection laws. However, post-Brexit, the U.K. GDPR is now a distinct legal framework. It remains uncertain whether this tribunal ruling will affect other actions against Clearview linked to the EU's GDPR.

The challenges faced by European regulators in enforcing data protection rules against Clearview are evident. For instance, in May, France’s CNIL revealed that Clearview had not paid the fines previously imposed and indicated it would pursue additional penalties. The authority also mandated Clearview to delete data on French citizens and halt any further unlawful processing. The CNIL has stated that it is in discussions with the U.S. Federal Trade Commission to explore ways to enforce its injunctions against Clearview.

The Clearview situation raises critical questions for European regulators about the extent of their powers to curb a U.S. company that collects and utilizes data on their citizens for selling privacy-invasive facial recognition services to foreign authorities. Current laws and enforcement capabilities suggest significant obstacles remain.

In recent developments, EU lawmakers have turned their attention to the Clearview controversy as they work towards creating a risk-based regulatory framework for artificial intelligence applications. Earlier this year, Members of the European Parliament (MEPs) supported amendments to the draft EU AI Act that would prohibit practices involving indiscriminate scraping of biometric data from social media and other sites to develop facial recognition databases — a practice characterized by MEPs as a violation of fundamental rights, including the right to privacy.

As discussions surrounding the AI Act continue, it remains to be seen whether the prohibition against scraping personal images for facial recognition ID matching will ultimately be included in the final legislation. If adopted, it could further tighten the legal framework against Clearview. Meanwhile, the efficacy of new regulatory measures to ensure compliance from foreign firms like Clearview remains uncertain.

This report has been updated to include responses from CNIL and additional information from the ICO.