Information Commissioner’s Office fines facial recognition company Clearview AI more 7,552,800 pounds and orders data be deleted

May 24, 2022

The UK Information Commissioner has imposed a significant fine of £7,552,800 on Clearview AI for illegally collecting personal data of UK residents. The facial images of UK residents were scraped from the internet and fed into Clearview’s database where, with the aide of artificial intelligence, it could use that data to identify those people and monitor them.

Clearview AI continues to maintain that it has done nothing wrong, saying that its technology and intentions have been “misinterpreted.” and claimed that Clearview AI is not subject to the ICO’s jurisdiction.

Clearview has already been the subject of act ion by other regulators. In March 2022 the Italian data protection agency fined Clearview €20 million penalty for breaches of EU law.  In December last year France’s data watchdog, CNIL,found that Clearview had committed two breaches of the the GDPR.    Similarly in February 2021 Canadian privacy commissioners stated that Clearview violated Canadian Privacy laws .  In the United States Cook County, effectively Chicago, and Clearview entered into agreement in settlement of a suit whereby Clearview has agreed to stop providing its technology to most private clients and doing business in Illinois

The use of facial recognition technology by police, is belatedly being scrutinised Read the rest of this entry »

The UK Information Commissioner’s Office launches its updated Artificial Intelligence data protection risk toolkit.

May 6, 2022

Artificial Intelligence (“AI”) is becoming a significant issue for lawyers generally and regulators in particular.   Its impact on the law is apparent with the Full Bench, of 5 justices, ruling in Commissioner of Patents v Thaler [2022] FCAFC 62 last month that an inventor in terms of patent law must be a natural person, not AI.  This was an appeal from a decision of Justice Beach on 30 July 2021 in Thaler v Commissioner of Patents [2021] FCA 879 who relevantly ordered:

  • The determination of the Deputy Commissioner that s 15(1) of the Patents Act 1990 (Cth) is inconsistent with an artificial intelligence system or device being treated as an inventor be set aside.
  • The matter as to whether patent application no. 2019363177 satisfies the formalities under the Patents Regulations 1991 (Cth) and its examination be remitted to the Deputy Commissioner to be determined according to law in accordance with these reasons.

In its reasons the Full Court found  that identification of the “inventor” was central to the operation of the legislation. Under s 15, only the inventor or someone claiming through the inventor is entitled to a patent.

Thaler will probably make its way to the High Court. 

But the use of AI is more prosaic and ubiquitous than in inventing devices.  That is likely to be both a public good and a cause for concern.  At the moment the technology and its implementation is far outpacing the law and regulation.  That is a concern given the potential forseeable and unforseeable consequences.  In that regard I thoroughly recommend Machines Behaving Badly; the Morality of AI by Toby Walsh.   I attended a presentation by Professor Walsh organised by the Centre for Artificial Intelligence and Digital Ethics (CAIDE) last Wednesday

Regulators in the United Kingdom and Europe have been much more alive to the need for guidance and consideration of AI and its effect on privacy and data security than in Australia where the regulator takes a more languid approach and seems to be letting the ACCC to take the running on big tech issues.  In that vein the Information Commissioner’s Office (‘ICO’) announced, on 4 May 2022, that it had launched its updated AI and data protection risk toolkit. It is an important document for Read the rest of this entry »

UK Information Commissioner fines transgender charity Mermaids 25,000 pounds for failing to keep personal data secure

July 19, 2021

The UK Information Commissioner’s office has fined Mermaids £25,000 for failing to keep personal information secure.  The nature of the breach was personal information found in emails and documents created by staff at Mermaids or its clients were publicly available on line.  Mermaids were advised by a newspaper of this fact in June 2019.  Mermaids contacted the Commissioner that day.

Mermaids is a charity that offers support to young people and their families regarding gender non comformity.  As such the nature of discussions and personal information were very sensitive.

The media release provides:

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. Read the rest of this entry »

UK Information Commissioner’s office fines British Airways 20 million pounds for data breach affecting 400,000 customers

October 17, 2020

The UK Information Commissioner’s Office (“ICO”)has fine British Airways (BA) £20 million for a data breach in 2018.  I did a post on it in September 2018. The ICO initially intended to fine BA nearly £184 million and made a statement in July 2019 to that effect in response to BA’s statement to the London Stock Exchange.  The Commissioner decided to reduce the sum in light of the impact COVID 19 has had on BA’s business and finances.

As often happens the investigation into the cyber attack by the regulator turned up multiple failings by BA in both protecting its network but also failing to detect the attack. And that attack was both wide and deep in its penetration. Through the attack addresses of 244,000 customers were accessed, the credit card details with CVV numbers of 77,000 customers and credit card numbers Read the rest of this entry »

UK Information Commissioner intends to fine Marriot International 99 million pounds and British Airways 183.39 million pounds. The GDPR bites for data breaches

July 16, 2019

With the General Data Protection Regulation in force in the United Kingdom the Information Commissioner has greatly enhanced powers to fine those who breach data protection laws.  And in that vein the Commissioner announced on 8 July 2019 an intention to fine British Airways £183.39 million for a data breach in September 2018 which resulted in personal information of 500,000 were compromised.  As is often the case investigation after the breach revealed Read the rest of this entry »

UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem

June 11, 2019

Organisations and agencies that collect and use personal information have a chronic problem of staff accessing that information without authorisation.   It is a very significant problem in the health industry with staff looking into the health records of celebrities; George Clooney in 2007, of Brittany Spears in 2008, Michael Jackson’s health records in 2011 and Kim Kardashian in 2013 to name a few. Last year 2 staff members at the Ipswich Hospital were reprimanded and one sacked for accessing Ed Sheeran’s health records relating to his treatment for a writs injury caused by a bicycle accident.  These instances are a fraction of the breaches of this nature that occurs. The breaches rarely come to light because the organisations notify those whose personal information have been compromised.  And they are only occasionally notified to the regulator. 

A case of snooping that was reported to the regulator resulted in a successful prosecution. In the United Kingdom unauthorised access of personal information is criminal offence. The UK Information Commissioner successfully prosecuted a former customer services officer at Stockport Homes who unlawfully accessed personal data, being anti social behaviour cases 67 times in 2017.  The breaches were Read the rest of this entry »

BUPA fined 175,000 pounds for data protection failures

October 3, 2018

As Bupa has discovered, data breaches caused by employee misbehaviour can be as devastating for an organisation as a cyber attack.  A rogue Bupa employee accessed and sold onto the dark web personal information of Bupa’s customers.  When it was discovered by a third party the Information Commissioner investigated and found systemic failures and non compliance with data security.  That is a common outcome.  The breach is generally bad however the investigation usually turns up more than just one problem with an organisation’s data security.  As was the case with Bupa.  There were systemic failures on Read the rest of this entry »

UK Information Commissioner’s office fines Equifax half a million pounds for security breach in 2017

October 1, 2018

First the breach, then the disastrous publicity and just when things seem to be getting better the enforcement action.  That is the way of it with UK and US privacy breaches.  Equifax’s travails have followed this path.

In 2017 Equifax suffered a data breach through a cyber attack.  The impact was, even by modern standards, massive with personal information of 146 million people being compromised.  That involved 200,000 credit card numbers and expiration dates and government issued documentation such as drivers’ licences and passports. A total of 15 million UK citizen’s personal information was compromised, giving the Commissioner jurisdiction.

The cost of the breach has been enormous, running to $275 million as at March this year.

The Equifax data breach is a “how not to” store information, set up proper data security and respond to the data breach.  As the UK Information Commissioner found Read the rest of this entry »

The UK Information Commissioner fines data broking company 140,000 pounds for selling personal information to a marketing company affiliated to UK Labour

August 12, 2018

The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party.  That information was used as a database which was used to profile new mums for use during the 2017 General Election.  The key with data for political parties is to allow them to micro target voters with carefully structured messages.

Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.

The actions by Emma’s Diary was particularly cynical given Read the rest of this entry »

UK Information Commissioner hits Independent inquiry into child sexual abuse with a 200,000 pound for major data breach

July 30, 2018

As if the victims hadn’t suffered enough.  The Independent Inquiry into Child Sexual Abuse suffered a major data breach.  Of the all too common own goal variety.  A staff member sent an open email to 90 victims of sexual abuse, thereby allowing each person to identify the emails of others.  More than the majority of the email addresses listed the full name of the recipients.  Given the nature of the inquiry and the sensitivity of at least some of the recipients it was a dreadful and entirely avoidable error.  The Inquiry released personal information without consent.

Under the Monetary Penalty Notice the contravention was Read the rest of this entry »