UK Fines Clearview AI £7.5 Million for Breaching Data Protection Laws

The UK’s Information Commissioner’s Office (ICO) fined Clearview AI £7.5 million for breaching UK data protection rules by creating an online database of over 20 billion images of people’s faces collected from publicly available sources on the internet and social media without informing individuals their images were being collected or used. The fine represented a reduction from the £17 million penalty the ICO initially announced in its provisional notice in November 2021, following joint investigation with Australian privacy authorities under the Privacy Act and UK Data Protection Act 2018.

Enforcement Action and Data Deletion Orders

In addition to the £7.5 million fine, the ICO issued an enforcement notice ordering Clearview AI to stop obtaining and using personal data of UK residents from the internet and to delete existing data of UK residents from its systems. The ICO found that Clearview violated UK data protection laws by failing to inform any individuals that their images were being collected, processed into biometric templates, and made searchable in a facial recognition database marketed to law enforcement agencies worldwide.

Scale of Unlawful Processing

The investigation revealed Clearview had scraped over 20 billion facial images from public internet sources including social media platforms, creating biometric templates without consent or notification. The company’s business model centered on selling access to this database to law enforcement and private entities, enabling searches that could identify individuals from a single photograph. The ICO determined this constituted systematic violations of UK residents’ privacy rights and data protection requirements.

Significance

The UK enforcement action, combined with similar regulatory actions across Europe and Canada, demonstrated coordinated international opposition to Clearview AI’s surveillance business model. However, the reduction of the fine from £17 million to £7.5 million, and the practical difficulty of enforcing data deletion against a U.S.-based company, revealed the limitations of national privacy regulators in controlling global surveillance infrastructure. The case highlighted how facial recognition companies could operate across borders while remaining largely beyond the reach of democratic accountability mechanisms in countries whose citizens’ data they collected.