The ICO Just Fined Clearview AI £7.5M — And It Still Didn’t Stop Them
The ICO fined Clearview AI £7.5M for scraping billions of faces without consent — establishing that biometric AI training on public data isn’t legal cover.
The UK Information Commissioner’s Office fined Clearview AI £7.5 million in May 2022 for building a facial recognition database out of billions of images scraped from the internet without asking a single person for permission. The ICO also ordered the company to delete all data belonging to UK residents. Clearview, predictably, appealed — and the story got more complicated from there.
The fine is one of the largest biometric data penalties the ICO has issued, and the investigation behind it is damning. Clearview scraped faces from social media, news sites, and public web pages, matched them against a database it then sold access to law enforcement agencies worldwide. No consent. No transparency. No lawful basis under UK GDPR or the Data Protection Act 2018. Just billions of faces, vacuumed up and monetised.
The ICO didn’t mince words in its enforcement decision.
“Clearview AI has demonstrated a fundamental disregard for the law. It has harvested facial images without consent, from millions of people in the UK, for use in its commercially available facial recognition service. Our investigation uncovered serious breaches of UK data protection law.” — UK Information Commissioner’s Office
What Clearview Actually Did
Clearview AI was founded in 2017 and had, by the time regulators caught up with it, assembled a database of over 20 billion facial images — scraped from Facebook, YouTube, LinkedIn, news sites, and essentially anywhere a human face appeared online. The company then sold access to this database, primarily to US law enforcement, letting officers upload a photo and get back a list of potential matches with links to where those images appeared online.
The problem — well, one of many problems — is that none of the people in those images agreed to be in a law enforcement facial recognition database. They posted a photo on Instagram. Clearview turned that into a searchable biometric profile. Under UK GDPR, biometric data used for identification is classified as “special category” data, requiring explicit consent or a specific lawful basis that Clearview simply didn’t have.
The ICO’s investigation, which started following complaints in 2020, found that Clearview had no meaningful transparency with the people it processed, gave UK residents no way to object or request deletion, and relied on the deeply shaky argument that data posted publicly is fair game. UK regulators disagreed, firmly.
The Fine, the Appeal, and the Precedent
The £7.5 million penalty was issued in May 2022. Clearview appealed to the First-tier Tribunal, arguing — among other things — that UK GDPR shouldn’t apply to a US company with no UK establishment and whose customers are outside the UK. The Tribunal partially sided with Clearview on jurisdictional grounds in late 2023, reducing the fine and complicating the ICO’s enforcement path. The ICO subsequently pursued further appeals, making this one of the messier regulatory sagas in recent UK data protection history.
The jurisdictional wrangle is genuinely thorny. Clearview operates from the US. Its clients are mostly US law enforcement agencies. But it scraped data from UK residents and offered them no recourse. Whether that brings a foreign company firmly under UK GDPR is a question regulators across Europe are still fighting through the courts — and not just with Clearview.
Regardless of the fine’s final number, the enforcement decision itself carries real weight. The ICO established clearly that scraping biometric data at scale, without consent, to train or populate an AI system is unlawful under UK law. That principle doesn’t disappear if the penalty gets trimmed on appeal.
Why This Matters Beyond Clearview
Clearview is the most visible target, but the model it pioneered — scrape the web, build a biometric dataset, sell access — is not unique to one company. Several facial recognition and identity-verification firms operate on similar foundations, and the ICO’s investigation put the entire sector on notice. Italy, France, Greece, and Australia issued their own enforcement actions against Clearview around the same period, creating a coordinated global squeeze.
The deeper issue is what counts as “public” data. Clearview’s argument that publicly posted images are free for any use is the same argument that AI training companies have used for text, code, and images across the board. Courts and regulators in the UK, EU, and US are all actively working through where that line sits — Clearview just happened to cross it with biometric data, which carries the highest regulatory classification and the least legal wiggle room.
What’s Next
Clearview continues to operate and expand in the US, where federal privacy law is patchwork and the company has leaned into government contracts to maintain revenue. In the UK and EU, it is effectively locked out — the ICO’s deletion order means it is not supposed to hold data on UK residents at all, and similar orders from European regulators cover the continent.
For the broader AI industry, the Clearview case is a reference point that will keep appearing in regulatory arguments for years. Training AI on scraped biometric data without lawful basis is not a grey area in UK and EU law anymore — it’s a documented, prosecuted violation. Companies building facial recognition, identity verification, or biometric authentication systems that rely on scraped training data have had clear warning. The regulators found the template; it’s just a matter of who they use it on next.
