ICO and OAIC Find ‘Serious Breaches’ of Privacy Law
On Nov. 29, 2021, the U.K. Information Commissioner’s Office (ICO) announced a provisional intent to fine Clearview AI over £17 million, alleging several privacy violations related to the company’s use of “scraped” data and biometrics of individuals. More significantly, the provisional order would require the company to stop processing personal data of people from the U.K. and to delete the data collected from U.K. individuals. The ICO’s notice follows a similar announcement that was made by Australia’s Information Commissioner earlier in the month ordering Clearview to cease collecting facial images and biometric templates from individuals in Australia and to destroy existing images and templates collected from Australians. We provide some key takeaways for companies that are building and testing facial recognition and artificial intelligence tools.
In announcing the resolution of a joint investigation with the Office of the Australian Information Commissioner (OAIC), the ICO alleged several privacy violations, including:
- Failing to process personal data fairly and in a way that people in the U.K. would expect.
- Failing to implement a process to ensure data is not retained indefinitely.
- Failing to rely on an appropriate legal basis.
- Failing to treat biometric data with the sensitivity required of “special categories” data under the EU’s General Data Protection Regulation (GDPR) /U.K. GDPR.
- Failing to provide appropriate notice.
- Asking for additional information—in particular photos—from individuals wishing to exercise their rights, which the ICO argues could deter individuals from exercising their rights.