Month: November 2021

ICO issues provisional view to fine Clearview AI Inc over £17 million

The Privacy PerspectiveLeave a comment

The Information Commissioner’s Office (“ICO”) has issued a provisional view of the imposition of a £17m fine over Clearview AI.

The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.

In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.

Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.

The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:

  • failing to process the information of people in the UK in a way they are likely to expect or that is fair;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to have a lawful reason for collecting the information;
  • failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
  • failing to inform people in the UK about what is happening to their data; and
  • asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.

Information Comissioner Elizabeth Denham commented:

“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.

Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”

This is one of the largest fines issued under the GDPR to date. Clearview now has the opportunity to respond, both in the UK and Australia (the AIC has found breaches of Australian privacy laws).

It’s unsurprising that its database, said to have included images scraped from social media, has drawn the attention of regulators. Facial recognition services have been at the forefront of recent data analytics scrutiny and data protection enforceability.

The ICO press release can be found here and the AIC press release here.

The previous statement of the ICO on the conclusion of the joint investigation can be found here.

Quotes from caselaw 4: PJS v News Group Newspapers Limited [2016] UKSC 26 – privacy rights are broader than just confidentiality

The Privacy PerspectiveLeave a comment

It is a rare case where an application for a interlocutory injunction succeeds despite an article on the subject already being published. Such was the case in PJS, one of the most significant English law cases concerning privacy law to date.

The leading judgment was handed down by Lord Mance. It concerned the grant of an injunction to keep details of an extra marital affair between a claimant of great renown being published by the press.

Lord Mance observes the fact that privacy is a zonal right justifying protection, differing in character from the right of confidentiality. The esteemed judge highlights previous cases at paragraphs 58 and 59 of the judgment, endorsing the well entrenched approach from the Court of Appeal.

He characterises privacy, rightly, as extending beyond the bounds of confidentiality. In doing so ones private life becomes a space that should remain, in certain circumstances, free from intrusion.

However, claims based on respect for privacy and family life do not depend on confidentiality (or secrecy) alone... “unwanted access to private information and unwanted access to [or intrusion into] one’s … personal space”

Lord Mance at p.58-59

Concluding Lord Mance opined on the capacity of the internet to change perceptions of privacy. He acknowledged that the courts need to remain cognizant of this. In doing so he affirmed the findings of previous caselaw, gave credence to commentators and noted the implications of tweeting and blogging:

 I also accept that, as many commentators have said, that the internet and other electronic developments are likely to change our perceptions of privacy as well as other matters – and may already be doing so. The courts must of course be ready to consider changing their approach when it is clear that that approach has become unrealistic in practical terms or out of touch with the standards of contemporary society. However, we should not change our approach before it is reasonably clear that things have relevantly changed in a significant and long-term way. In that connection, while internet access became freely available in this country only relatively recently, almost all the cases listed at the end of para 59 above were decided since that happened, and many of those cases were decided after blogging and tweeting had become common.

Lord Mance at p.70

TPP has commented further on the PJS case here.

Citation: INFORRM Blog, ZXC v Bloomberg LP: Privacy and Reputational Harm – Jeevan Hariharan

The Privacy Perspective1 Comment

The INFORRM Blog has an excellent post on the inter-related nature of privacy and reputational harms.

Whether an individual has a reasonable expectation of privacy that outweighs the public interest in cases where there has been an investigation, but no charge, by the police is an imminent case before the Supreme Court in the case of ZXC v Bloomberg LP.

The case is before the UK Supreme Court on 30 November and 1 December next week and was cited by Hariharan in his analysis of the proximity between privacy and reputational harms.

The Court of Appeal judgment can be found here. The Court found that there could be a reasonable expectation of privacy in the fact of a police investigation. This builds upon notable caselaw such as the Cliff Richard case.

Citation: BBC: WhatsApp changes privacy policy after Irish data protection authority issues £190m fine

The Privacy PerspectiveLeave a comment

The BBC has an insightful article on WhatsApp’s behaviour after the sanctions imposed on it by the Irish Data Protection Authority fined it £190m in September 2021.

According to the BBC, the tweaks are designed to “add additional detail around [WhatsApps] existing practices”, and will only appear in the European version of the privacy policy, which is already different from the version that applies in the rest of the world.

“There are no changes to our processes or contractual agreements with users, and users will not be required to agree to anything or to take any action in order to continue using WhatsApp,” the company said, announcing the change.

WhatsApp is appealing the fine imposed against it by the Irish Data Protection Commissioner.

TPP number 30 on Feedspot – Top 35 Privacy Websites and Blogs

The Privacy PerspectiveLeave a comment

We are delighted to be ranked 30 out of Feedspots top 35 blogs. TPP was ranked alongside law firms and authoritative blogs on privacy law.

According to Feedspot sites are ranked “by traffic rank, social media followers, domain authority & freshness.” The full list can be found here and is a must read for anyone interested in privacy law matters.

TPP re-published by the The Student Lawyer: Use of facial recognition software in school lunch queues in North Ayrshire

The Privacy PerspectiveLeave a comment

TPP is pleased to announce that the article that appeared on this site analysing use of facial recognition software in schools in North Ayrshire has been republished by the Student Lawyer.

The Student Lawyer is a go-to legal news and blogging site for law students. You can find the article here.

Citation: 5RB: European Court of Human Rights upholds Article 8 privacy breach in relation to reputation of a dead person

The Privacy PerspectiveLeave a comment

In a case builds upon pre-existing caselaw on the rights of those who are deceased the European Court of Human Rights has found an article 8 breach in relation to news articles posted about a deceased Roman Catholic Priest.

ML v Slovakia 34159/17 concerned a number of articles published by three Slovakian newspapers about the historic sex offence convictions of the claimants son.

The Court found that the articles were inaccurate and sensationalist citing that: “However, it follows from what has been said above that the domestic courts failed to carry out a balancing exercise between the applicant’s right to private life and the newspaper publishers’ freedom of expression in conformity with the criteria laid down in the Court’s case-law.

Concluding the Courts stated, applying Article 8:

“…dealing appropriately with the dead out of respect for the feelings of the deceased’s relatives falls within the scope of Article 8 of the Convention”.

Furthermore the Court stated a clear and concise view on the journalistic integrity of the reporting: “Although the journalists must be afforded some degree of exaggeration or even provocation, the Court considers that the frivolous and unverified statements about the applicants sons private life must be taken to have gone beyond the limits of responsible journalism” -p.47

5RB has an excellent case comment.