A facial recognition company used by British police forces has been fined more than £7.5m for creating an unlawful database of 20 billion images.
The Information Commissioner’s Office said Clearview AI had scraped people’s private photos from social media and across the internet without their knowledge.
It created an app, sold to customers including the police, where they could upload a photograph to check for a match against images in the database.
The app would provide a list of images that have similar characteristics, with a link to the websites where they were sourced.
“Given the high number of UK internet and social media users, Clearview AI Inc’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge,” a spokesperson for the Information Commissioner said.
“Although Clearview AI Inc no longer offers its services to UK organisations, the company has customers in other countries, so the company is still using personal data of UK residents.”
Documents reviewed by Buzzfeed News in 2020 indicated that the Metropolitan Police, National Crime Agency, Northamptonshire Police,North Yorkshire Police, Suffolk Constabulary, Surrey Police and Hampshire Police are among the forces to have used the technology.
The ICO found that Clearview AI had committed multiple breaches of data protection laws, including failing to have a lawful reason for collecting people’s information, failing to be “fair and transparent” and asking people who questioned whether they were on the database for additional personal information including photos.
John Edwards, the Information Commissioner, said: “Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images.
“The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.
“People expect that their personal information will be respected, regardless of where in the world their data is being used.”
The fine was the result of a joint investigation conducted with the Australian information commissioner, which started in July 2020.
The ICO also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.