Leading facial recognition firm faces €20 million fine

What happened

• The Italian data protection regulator (the Garante) observed that Clearview AI is a company headquartered in the US that is said to maintain a database that includes over 10 billion facial images from individuals all over the world – these are extracted from public web sources through web scraping.
• The Garante has received a number of complaints relating to the unlawfulness of data processing carried out by Clearview AI as well as failing to adequately respond to data subject access requests.
• Accordingly, the Garante imposed a fine of €20 million and ordered Clearview AI to erase the data relating to individuals in Italy and to cease any further collection and processing of personal data through its facial recognition system.

Why it matters

• The Garante found that Clearview AI had failed to properly inform data subjects of what they were doing with their personal data as well not informing them about retention periods.
• The Garante also found that Clearview AI did not meet a condition in Article 9 of the EU GDPR to be able to lawfully process special categories of personal data (in this case, biometric data).
• This decision from Italian data protection authority follows similar enforcement action in the UK, Australia and France.
• The full decision can be read here (available in Italian).

What happened

• The UK government has made changes to the Online Safety Bill in order to tackle scams and fraud.
• Social media sites and search engines will be required to root out fraudsters and scammers on their platforms as the UK government strengthens its internet safety laws.
• The move coincides with the launch of a consultation as part of a wider overhaul of how online advertising is regulated in the UK, including proposals to improve transparency and accountability and tackle harmful, fraudulent and misleading adverts.

Why it matters

• The measures aim to boost people’s trust and confidence in being online by making sure the UK’s rules and regulations keep pace with advances in technology.
• A new legal duty will be added to the Online Safety Bill requiring the largest and most popular social media platforms and search engines to prevent paid-for fraudulent adverts appearing on their services.
• The change will improve protection for internet users from the potentially devastating impact of fake ads, including where criminals impersonate celebrities or companies to steal people’s personal data.

What happened

• The Information Commissioner’s Office (ICO) has issued a reprimand to the Scottish Government and NHS National Services Scotland over the failure by both organisations to provide people with clear information about how their personal information – including sensitive health data – is being used by the NHS Scotland COVID Status app.
• The NHS Scotland COVID Status app is one method people can use to demonstrate their vaccination status to satisfy mandatory COVID status checks that are still in place for certain venues, including nightclubs, in Scotland.

Why it matters

• The ICO advised the Scottish Government and NHS National Services Scotland that they had a number of concerns about the way the app was going to use people’s information.
• The ICO was particularly concerned by plans to allow the NHS Scotland COVID Status app to share the images and passport details of Scottish users with the software company providing the facial recognition technology behind the app.
• The ICO has now issued a reprimand to the Scottish Government and to NHS National Services Scotland over their initial failure to provide adequate privacy information within the NHS Scotland COVID Status app at launch to explain how people’s information is being used.