In a startling turn of events, a recent ruling by a First-tier Tribunal in the United Kingdom has delivered a significant legal victory to facial recognition company Clearview AI. The tribunal overturned a fine imposed by the U.K. Information Commissioner's Office (ICO), which had accused Clearview AI of failing to adhere to the principles outlined in the General Data Protection Regulation (GDPR). This included lacking a lawful basis for processing personal data and engaging in unlawful processing of special category and biometric data.
Clearview AI successfully argued that the ICO lacked authority over its data processing practices, and therefore, had no grounds to fine the company, despite the fact that some of the processed data pertained to U.K. residents. The Tribunal's decision hinged on Clearview AI's assertion that it exclusively provides facial recognition services to law enforcement and government agencies located outside the U.K. According to this argument, the GDPR did not grant the ICO the power to intervene in the policies and operations of foreign governments. This legal position draws intriguing parallels to the debates surrounding data processing by U.S. agencies in cases like Schrems II, which invalidated the Privacy Shield, and discussions regarding granting the United States an adequacy status.
While the financial reprieve of an extra £7.5 million is undoubtedly a significant win for venture-backed Clearview AI, the true victory lies in the company's ability to continue its core business operations. Clearview AI specializes in matching facial images to a vast database collected from the internet. Remarkably, even though this business model triggers U.K. GDPR regulations when it involves images of U.K. residents, the recent tribunal decision suggests that Clearview AI need not fear ICO actions as long as it conducts such processing on behalf of law enforcement and government agencies. This strategic move by Clearview AI, implemented in May 2022 when it chose to limit the sale of its software, may have led to a temporary dip in revenue but ultimately yielded a more compliant and resilient data privacy model.
Furthermore, this newfound resilience in Clearview AI's business model could potentially be extended if the company successfully appeals similar fines it has received in France and elsewhere. Given that the European Union and U.K. versions of the GDPR are identical, a successful appeal could unlock a similar freedom to operate in the European Union and other regions.
Clearview AI's success story in the U.K. carries broader implications for AI companies navigating the complex landscape of data privacy regulations. It underscores the significance of targeting government actors, particularly those in the United States and potentially other jurisdictions, as the ideal customer base to avoid substantial and systemic fines outside the United States. As the future of artificial intelligence faces uncertainty in international arenas, Clearview AI's experience in the U.K. may serve as a blueprint for AI companies seeking to navigate these intricate legal waters successfully.
Photo by ev