The Information Commissioner’s Office (ICO) has announced its provisional intent to impose a potential fine of just over £17 million on Clearview AI Inc – a company that describes itself as the ‘World’s Largest Facial Network’. In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws.
<p>The 17 million fine is surprisingly small and lenient. Other companies, recently fined for data breaches, for example, were punished with much larger fines whereas much less personal data was stolen. Clearview AI has allegedly collected and processed over 10 billion individual photos without notice, let alone valid consent. The personal life and privacy of many UK and EU residents are jeopardized for commercial gain stemming from the unlawful processing of personal data.</p>
<p>Furthermore, under GDPR, the highest penalty threshold for a data breach is 2% of infringer’s annual turnover, and 4% for violations like unlawful processing of personal data, making this specific decision of ICO incomprehensible for me. In some notorious cases, like BA, the fine was eventually reduced from hundreds of millions to a signifiable smaller amount, however, for different reasons unrelated to the gravity of the violation.</p>
<p>Different reports show that there is no consistency between GDPR fines and enforcement priorities among European DPAs, while this decision also demonstrates that even one DPA, like ICO, may have broadly varying decisions that make GDPR enforcement unpredictable. The European Data Protection Board should probably bring more clarity and uniformity to the context by issuing additional guidelines on fines.</p>