Clearview AI, a US-based facial recognition company, has amassed a vast database of billions of photos by scraping public websites, including social media platforms. With 3,000 customers, it is by far the most used facial recognition AI system by law enforcement and military entities. In principle, Clearview helps law enforcement identify suspects in criminal investigations by police uploading a photo of an individual and receiving potential matches from Clearview AI's database. While Clearview appears to be the best choice among facial recognition AI systems (its competitor DataWorksPlus was involved in a scandalous wrongful arrest by Detroit police in 2020), it too has been the subject of controversy and legal challenges, as its practice of scraping images from the internet without individuals' consent has raised privacy concerns.
Privacy sanction and Clearview AI's appeal
Clearview AI has successfully appealed against a privacy sanction imposed by the UK's Information Commissioner's Office (ICO). In 2022, the ICO concluded that Clearview committed multiple breaches of UK privacy laws, ordered the deletion of data on UK citizens and issued a fine of approx. GBP 7.5m.
The appeal was won on legal jurisdictional grounds, with the tribunal ruling that Clearview AI's activities were exempt from UK data protection laws due to their association with foreign law enforcement. The company argued that it is a foreign entity serving "foreign clients", primarily for their national security and criminal law enforcement functions. The tribunal accepted Clearview AI's claim that it exclusively provides its services to non-UK/EU law enforcement or national security bodies and their contractors. As a result, the ICO's enforcement decision, which found breaches of the UK GDPR, was overturned.
Previous legal actions against Clearview AI
The penalty from the UK is merely one among multiple legal actions and cases that Clearview AI has faced lately. Last July, the company was fined USD 20m and prohibited from handling biometric information in Greece due to breaches of the EU GDPR. Regulators in France and Italy have also levied comparable fines against the company. However, back in May, the French data protection authority confirmed that Clearview AI did not pay the fine. There is currently no information on whether any of these penalties ultimately were enforced.
In the USA, Clearview AI reached a settlement with the American Civil Liberties Union and several other plaintiffs last year. The settlement essentially banned Clearview AI from selling its database to private businesses or individuals anywhere in the USA, restricting its business to American government agencies.
What can be expected in the EU?
The European Data Protection Board (EDPB) and the European Data Protection Supervisor have previously advocated for a ban on mass-scale and indiscriminate collection of personal data for law enforcement, specifically mentioning practices like scraping of online photos. The EDPB has also issued guidelines on facial recognition in law enforcement, emphasising the importance of data protection rules and assessing the "necessity and proportionality" of AI tools.
The EU is currently working on a risk-based framework for AI regulation. Earlier, the Commission's 2021 proposal identified AI systems with real-time and remote biometric facial recognition systems as prohibited. Members of the European Parliament supported amendments to the draft EU AI Act, proposing a ban on indiscriminate scraping of biometric data from social media, deeming it a violation of human rights, as well as on real-time and ex-post biometric facial recognition systems, except in severe crimes. The fate of this proposal in the final AI Act is uncertain. Even if it is included, the ability of regional regulators to enforce it against non-compliant foreign companies remains an open question. Nevertheless, we are eager to see the final EU AI Act, which should be completed by the end of 2024.