TL;DR:
- Clearview AI has won an appeal against a £7.5 million privacy sanction imposed by the UK’s Information Commissioner’s Office (ICO).
- The appeal hinged on jurisdictional grounds, with the tribunal ruling that Clearview AI’s activities fall outside UK data protection law due to an exemption related to foreign law enforcement.
- The ICO argued that Clearview AI’s processing was related to monitoring data subjects’ behavior and identified the company as a joint controller for the processing.
- Despite the ruling, the ICO retains the ability to act against international companies processing UK citizens’ data, particularly in cases involving foreign law enforcement.
- Clearview AI faces ongoing enforcement actions in France, Italy, and Greece under the EU’s GDPR, but the UK’s post-Brexit GDPR framework adds complexity to the applicability of this ruling.
- European regulators and authorities continue to advocate for stringent data protection rules, including a ban on practices like scraping biometric data for facial recognition databases.
- In the US, Clearview AI’s legal battles have resulted in a national ban on selling its facial recognition database to private entities, limiting its business to government contracts.
Main AI News:
Clearview AI, the controversial US facial recognition company, has successfully won an appeal against a privacy sanction imposed by the UK last year. This development marks a significant turn of events in the ongoing saga surrounding Clearview AI’s operations and their implications for privacy and data protection.
In May 2022, the Information Commissioner’s Office (ICO) in the UK issued a formal enforcement notice against Clearview AI, accompanied by a substantial fine of approximately £7.5 million (~$10 million). This enforcement action was taken after the ICO found Clearview AI guilty of multiple breaches of local privacy laws. Additionally, the ICO ordered Clearview AI to delete the personal data it had collected from UK citizens.
However, Clearview AI did not accept this decision without a fight. The company filed an appeal against the ICO’s ruling, contesting it on various grounds. In a recent ruling, the tribunal sided with Clearview AI on the jurisdictional aspect, stating that the company’s activities fell outside the purview of UK data protection law due to an exemption related to foreign law enforcement.
It is important to note that while the tribunal agreed with the ICO’s assertion that Clearview AI’s processing activities were related to monitoring data subjects’ behavior, it also identified Clearview AI as a joint controller for the processing. Nevertheless, the jurisdictional aspect proved to be the deciding factor.
According to Clearview AI, it operates as a foreign company, exclusively providing its services to foreign clients, using foreign IP addresses, and supporting the public interest activities of foreign governments and government agencies, particularly in the realms of national security and criminal law enforcement functions.
As a result of the tribunal’s decision, the ICO’s enforcement actions under the UK’s General Data Protection Regulation (GDPR) were overturned. The GDPR stipulates that the processing of personal data by competent authorities for law enforcement purposes falls outside its scope and is instead subject to rules outlined in the Data Protection Act 2018, which transposes the EU Law Enforcement Directive EU2016/680 into UK law post-Brexit.
While this ruling is a victory for Clearview AI, it does not entirely preclude the ICO’s ability to act against international companies processing data of individuals in the UK. This judgment specifically revolves around an exemption related to foreign law enforcement.
The ICO has not yet confirmed whether it will appeal the decision, but it retains the option to do so within the next 28 days.
In response to the tribunal’s ruling, Clearview AI expressed its satisfaction, with General Counsel Jack Mulcaire stating, “We are pleased with the tribunal’s decision to reverse the UK ICO’s unlawful order against Clearview AI.”
This case is just one of several enforcement actions against Clearview AI in recent years, with data protection authorities in France, Italy, and Greece finding the company in breach of the EU’s GDPR. However, the distinct nature of the UK’s post-Brexit GDPR framework raises questions about the applicability of this ruling to other enforcement actions referencing the EU’s GDPR.
Despite these challenges, European regulators remain committed to enforcing data protection rules against foreign companies processing data of their citizens. The European Data Protection Board (EDPB) and the European Data Protection Supervisor have called for a ban on processing personal data in a law enforcement context, explicitly citing practices like scraping photographs and facial pictures from the public internet, which Clearview AI engages in.
In the United States, litigation against Clearview AI under Illinois law resulted in a settlement that imposed a national ban on the company selling access to its facial recognition database to private entities. This effectively limits Clearview AI’s business to government contracts.
European lawmakers are also actively working on regulations for artificial intelligence applications, with proposed amendments to prohibit indiscriminate scraping of biometric data for facial recognition databases. The outcome of these legislative efforts will play a pivotal role in determining the future of Clearview AI’s operations in the European Union.
Conclusion:
Clearview AI’s legal battles and the evolving landscape of data protection regulations continue to shape the boundaries of privacy and technology in the digital age. The ramifications of this tribunal ruling may extend beyond the UK, influencing how international companies handle personal data and prompting further discussions on privacy rights and enforcement mechanisms.
