See below for the latest Data Blast from our legal team: Clearview AI facing prospect of £17M fine for its facial recognition algorithm; South Korea reportedly trialing AI facial recognition for Covid 19 tracing; Report details missed opportunities to prevent ransomware attack on Irish Health Service; French regulator issues €210M in fines for cookie use and confusing ‘dark pattern’ design of consent mechanism…

ICO proposes a fine of £17M for illegal collection and use of UK data for facial recognition algorithm

On the penultimate day of her tenure as Information Commissioner, Elizabeth Denham, issued a proposal to impose a fine of £17M on an Australian facial recognition software provider, Clearview AI, for numerous breaches of UK data protection laws. Clearview AI has previously been the subject of investigations in Australia and in Canada, which concluded that the company’s collection and use of individuals’ facial images by ‘scraping’ the public internet violated each of those countries’ laws. Clearview AI’s database of faces is said to contain upwards of 10 billion images.

Clearview AI previously offered services in the UK, in particular to law enforcement bodies, but ceased activities some time ago. The ICO participated in a joint investigation with the Australian regulator, commencing in July 2020, following which Ms. Denham concluded that Clearview AI’s activities in the UK had breached numerous data protection rules by:

  • failing to process the information of individuals in a fair and transparent manner;
  • failing to have a data retention process in place to prevent data being retained indefinitely;
  • failing to have a lawful basis for collecting the personal data in question;
  • failing to meet the lawful conditions for processing biometric data;
  • failing to inform UK individuals about the collection and processing of their data; and
  • seeking additional personal data, including photos, from individuals wishing to exercise their legal right to object to the processing of their data.

Contrary to many reports, no fine has been issued and no final decision made as to whether enforcement action will go ahead; those decisions now rest with the new Information Commissioner, John Edwards (previously the data protection regulator for New Zealand), who took up his post this month. Clearview AI now has the opportunity to make submissions to the ICO as to why it believes Ms. Denham’s conclusions are inaccurate or that the proposed fine is otherwise inappropriate.

South Korea reportedly trialing facial recognition technology for Covid 19 contact tracing

South Korea is reportedly set to trial this month AI based facial recognition technology that will use images from nearly 11,000 CCTV cameras to track the movements of individuals found to be infected with Covid 19. The trial seeks to improve on an already robust system of contact tracing that includes the use of CCTV footage, credit card records, and mobile phone location data, and will allow authorities to verify the movements and contacts of individuals, as well as whether those infected wore a face mask whilst circulating in public. The trial is set to take place in Bucheon, near the capital city of Seoul.

The reported trial of such invasive technology comes at perhaps an awkward moment, as the European Commission formally adopted its adequacy decision in favour of South Korea on December 17th 2021, allowing for the free flow of personal data between the EU and South Korea. The use of facial recognition technology in public is the subject of much debate in the EU at present, in particular in the context of the proposed EU Artificial Intelligence Act (a full length report on which featured in our winter 2021 edition of Inside IP). EU data regulators, as well as some politicians, have argued for any new legislation on AI to contain a prohibition on the deployment of live facial recognition technology in public places. Live facial recognition technologies are also certain to feature in the UK’s forthcoming blueprint for its proposed regulatory regime for AI technologies. We have previously reported on the English Court of Appeal’s decision setting out a legal framework for the compliant use of live facial recognition technology by police, here.

Irish Health Service cyber incident traced to a malicious email

In the spring of 2021, the Irish Health Service Executive (HSE) fell victim to an extensive ransomware attack that caused service outages and serious delays across HSE’s entire network, with disruptions that lasted for months.  PwC was commissioned to investigate and report on the incident, and its report published in December 2021 has concluded that the attack originated with a malicious email opened by a member of the HSE staff on March 18th 2021. The report discloses that the attackers remained within HSE’s IT network for more than 6 weeks before finally launching the ransomware attack that blocked HSE’s access to its systems. The report details the timeline for the attack, including numerous gaps in the HSE cyber security processes which ultimately allowed the attackers successfully to disable the hospital networks, including:

  • HSE’s antivirus software was configured to ‘monitor’ mode, which resulted in the detection of the malicious software code on the initial HSE user’s machine, but the malicious code was not quarantined;
  • HSE servers were first compromised by the attacker on May 7th, and over the course of 5 days the attack was able to spread to six HSE hospitals;
  • During that time, one hospital detected that the ransomware had reached a critical component of the Windows environment which manages use authentication and network access;
  • Evidence of the attack was first noted by security auditors on May 10th at two hospitals; and
  • HSE was alerted by its antivirus security provider that threat detections dating back to May 7th had yet to be actioned on as many as 16 HSE systems, which triggered the hospital’s threat response.

The group behind the attack initially sought a US $20 million ransom payment in virtual currency in order to provide HSE with the decryption keys to unlock its servers, however, following the widespread condemnation of the attack – particularly as HSE was responding to the Covid 19 pandemic – the attackers provided the keys without any ransom being paid. HSE’s recovery from the attack progressed over the course of more than 6 months. The report into the attack highlights the importance for all organisations not only to invest in appropriate technological measures to guard against attacks, but also to ensure that procedures are followed to monitor threat prevention and resilience constantly.

French regulator issues €210M in fines for making cookie consent difficult for users

The French data protection regulator, the CNIL, fined a search engine provider €150M and Facebook’s parent, Meta, €60M for failing to adhere to cookie consent requirements under the French regulation enacting the EU’s ePrivacy Directive. The CNIL found that in both cases, accepting cookies was enabled by the use of a single selection by the user, whilst limiting the use of cookies required multiple layers of navigation. On that basis alone, the cookie approaches failed to meet the CNIL’s explicit guidance that refusing consent for cookies must require no more effort from users than giving consent. Furthermore, in Facebook’s case, users seeking to reject consent for the use of non-essential cookies were ultimately presented with a button labelled ‘Accept cookies;’ the CNIL held that approach to be necessarily confusing for users, as it created the impression that it was not possible to reject the use of cookies.

The platforms were each given 3 months within which to bring their practices into compliance with the French rules on cookies, with a further fine of €100,000 to be applied for each day of continued non-compliance after the expiry of that grace period. Both platforms have their EU base in Dublin, and it remains to be seen whether one or both will seek to challenge the CNIL fines on jurisdictional grounds, as well as on the merits and/or in relation to the quantum of the fines. The CNIL sought in its decision notices to head off such a challenge, stating that the GDPR’s ‘one stop shop’ enforcement mechanism (under which the Irish regulator would have competence over the platforms) does not apply to breaches of Member State law stemming from the ePrivacy Directive.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.