European Union Law

ICO issues provisional view to fine Clearview AI Inc over £17 million

The Privacy PerspectiveLeave a comment

The Information Commissioner’s Office (“ICO”) has issued a provisional view of the imposition of a £17m fine over Clearview AI.

The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.

In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.

Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.

The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:

  • failing to process the information of people in the UK in a way they are likely to expect or that is fair;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to have a lawful reason for collecting the information;
  • failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
  • failing to inform people in the UK about what is happening to their data; and
  • asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.

Information Comissioner Elizabeth Denham commented:

“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.

Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”

This is one of the largest fines issued under the GDPR to date. Clearview now has the opportunity to respond, both in the UK and Australia (the AIC has found breaches of Australian privacy laws).

It’s unsurprising that its database, said to have included images scraped from social media, has drawn the attention of regulators. Facial recognition services have been at the forefront of recent data analytics scrutiny and data protection enforceability.

The ICO press release can be found here and the AIC press release here.

The previous statement of the ICO on the conclusion of the joint investigation can be found here.

Citation: 5RB: European Court of Human Rights upholds Article 8 privacy breach in relation to reputation of a dead person

The Privacy PerspectiveLeave a comment

In a case builds upon pre-existing caselaw on the rights of those who are deceased the European Court of Human Rights has found an article 8 breach in relation to news articles posted about a deceased Roman Catholic Priest.

ML v Slovakia 34159/17 concerned a number of articles published by three Slovakian newspapers about the historic sex offence convictions of the claimants son.

The Court found that the articles were inaccurate and sensationalist citing that: “However, it follows from what has been said above that the domestic courts failed to carry out a balancing exercise between the applicant’s right to private life and the newspaper publishers’ freedom of expression in conformity with the criteria laid down in the Court’s case-law.

Concluding the Courts stated, applying Article 8:

“…dealing appropriately with the dead out of respect for the feelings of the deceased’s relatives falls within the scope of Article 8 of the Convention”.

Furthermore the Court stated a clear and concise view on the journalistic integrity of the reporting: “Although the journalists must be afforded some degree of exaggeration or even provocation, the Court considers that the frivolous and unverified statements about the applicants sons private life must be taken to have gone beyond the limits of responsible journalism” -p.47

5RB has an excellent case comment.

The Schrems II case- EU-US data transfers left in question

The Privacy PerspectiveLeave a comment

The European Court of Justice has handed down its highly anticipated ruling in the Schrems II case. The case considered the validity of the EU-US Privacy Shield and the efficacy of Standard Contractual Clauses (“SCC”) as data transfer protection mechanisms.

In this landmark case it was found that the EU Commission’s adequacy decision around the EU-US Privacy Shield framework was invalid. The leaves the mechanism for conducting EU-US data transfers in question. This matter maybe covered by recent discussions between the UK and US around entering into a seperate data sharing agreement. However, in the interim a transitional mechanism is sorely needed alongside guidance for data processors to give clarity to how data sharing between the countries can be regulated and data subjects rights safeguarded.

The SCC regime was affirmed to be valid however, it was suggested that companies and regulators enter into a case by case basis analysis of risk. In particular, it was highlighted that such an assessment should take place where government access to data is mandated. This is a highly topical issue in the US given current efforts to put in place a federal data protection regime.

For more details on the Schrems II case see-

The IAPP

INFORRM

Law firm Bird & Bird

The ICO‘s press release

The right to be forgotten does not apply to search engine results globally

The Privacy PerspectiveLeave a comment

On 24 September 2019 the European Court of Justice (“ECJ”) handed down judgment in the case of Google v CNIL C-507/17. The effect of the case was that right to be forgotten requests only need be applied to domain names of Member States and not extra-territorially globally. The case, therefore, has implications for the processing and effectiveness of the right to be forgotten requests, particularly for requestors who seek de-listing of search results from multiple non-EU jurisdictions. Notably, the administrative burden upon search engine operators has been limited by the ruling.

light smartphone macbook mockup

Continue reading

Revisiting the right to be forgotten, the NT1 and NT2 case

The Privacy PerspectiveLeave a comment

The right to be forgotten or right to erasure under data protection legislation and enshrined from the Google Spain case allows significant protection of information regarding the individual. In this post, we consider the seminal case of NT1 and NT2 which is illustrative of this fact. Continue reading

Look out for the new incoming ePrivacy Regulation and its GDPR integration

The Privacy PerspectiveLeave a comment

The European Data Protection Board issued a statement on 13 March 2019 urging the European Authorities to implement the new ePrivacy Regulation (the “Regulation”).

The Regulation itself sits alongside the existing GDPR framework and focuses on email marketing and cookies consent.

Debate has been generated around the extent to which the Regulation and the GDPR practically sit alongside each other to ensure that the, now onerous, data protection regime does not duplicate obligations. The Panopticon Blog has an excellent post covering this issue from Robin Hopkins. Continue reading