According to court documents, the UK commissioner doesn’t have the authority or jurisdiction to cite or fine the “foreign” company for GDPR infractions.
U.S. surveillance and facial recognition firm Clearview AI has won a court appeal in the United Kingdom after being accused of alleged infractions related to the U.K’s general data protection regulation (GDPR).
Originally, the company was fined nearly $10 million for breaches of the U.K.’s GDPR in May of 2022. The recent victory will see that fine rescinded unless the U.K.’s Information Commissioner’s Office (ICO) further appeals the ruling.
Per a U.K. court tribunal led by Tribunal Judge Lynn Griffin, whether Clearview AI (called “CV” throughout the documents) ran afoul of GDPR is immaterial due to the jurisdictional limits on applying GDPR to foreign companies.
According to court documents released Oct. 17:
“Whether or not CV has infringed the Articles of GDPR or UK GDPR as alleged or at all was not the issue before us. That would be the subject of any substantive hearing were this case to go forward.”
The document goes on to state that, despite the fact that Clearview AI has billions of images in its facial recognition and AI surveillance system (including, according to experts, those sourced from “public” internet repositories originating in the U.K.) the U.K’s ICO doesn’t have the jurisdiction to offer GDPR protection to its citizenry in this case.
In reference to Clearview AI, the court document states “it is a foreign company providing its service to ‘foreign clients, using foreign IP addresses, and in support of the public interest national security and criminal law enforcement functions’, such functions being targeted at behaviour within their jurisdiction and outside of the UK.”
In essence, it appears as though the appeal’s approval sets a legal precedent wherein the U.K. court system’s stance on enforcing GDPR has been relegated to only those companies firmly within the U.K.’s purview.
In contrast, Clearview AI has been sued and fined multiple times in Europe via the E.U. ‘s GDPR with fines being levied in France, Italy, and Greece. In Sweden, the local police authority was fined more than $300K for its illegal use of Clearview AI products in 2021.
Related: UK to target potential AI threats at planned November summit
However, regarding these and other judgments, Clearview AI has managed to avoid following the court’s orders in at least some instances. Despite, for example, being fined $20 million for GDPR breaches in France in October of 2022, the company refused payment and was found in breach of that order as of May of 2023.
Currently, Clearview AI holds what appears to be a unique position within the U.S. tech ecosystem. Despite continuing allegations that its software and services violate civil rights and privacy protections afforded all U.S. citizens, the company’s close ties with law enforcement have, according to some experts, afforded it a level of protection inconsistent with U.S. laws against unwarranted surveillance and the Fourth Amendment to the U.S. Constitution.
As such, it is nearly impossible for most people to have their data removed from the company’s datasets and systems.
Per Clearview AI’s Privacy Policy page, “currently, only those who are a resident of one of the following states may submit a consumer request for access, opt-out, and/or delete.” Those states include California, Colorado, Connecticut, Illinois, and Virgina.
Individuals outside of those areas have, so far, no explicit recourse to have their images, likeness, and other data removed from the company’s dataset.
The same document states explicitly that Clearview AI “may have sold this category of personal information [face vectors and photographs] to law enforcement, governmental agencies, authorized contractors of law enforcement or government agencies, security and national security professionals.”
Those living in the aforementioned U.S. states wishing to opt-out, must submit a “headshot” photograph, verify their government-issued identification, and provide “any additional information” required by the company in order to have their request for removal reviewed.