An AI firm harvested billions of photos without consent. Britain is powerless to act (www.politico.eu)
from throws_lemy@lemmy.nz to technology@lemmy.world on 01 Nov 2023 01:40
https://lemmy.nz/post/2904520

#technology

threaded - newest

autotldr@lemmings.world on 01 Nov 2023 01:45 next collapse

This is the best summary I could come up with:


LONDON — Britain’s top privacy regulator has no power to sanction an American-based AI firm which harvested vast numbers of personal photos for its facial recognition software without users’ consent, a judge has ruled.

The New York Times reported in 2020 that Clearview AI had harvested billions of social media images without users’ consent.

The Information Commissioner’s Office (ICO) took action against Clearview last year, alleging it had unlawfully collected the data of British subjects for behavior-monitoring purposes.

Lawyers have pointed out that the company was under no obligation to purge Brits’ pictures from its database until the appeal was determined — and yesterday’s ruling applied not only to the fine, but the deletion order too.

The identity-matching technology, trained on photos scraped without permission from social media platforms and other internet sites, was initially made available to a range of business users as well as law enforcement bodies.

Following a 2020 lawsuit from the American Civil Liberties Union, the company now only offers its services to federal agencies and law enforcement in the U.S. Yesterday’s judgment revealed it also has clients in Panama, Brazil, Mexico, and the Dominican Republic.


The original article contains 627 words, the summary contains 190 words. Saved 70%. I’m a bot and I’m open source!

Granixo@feddit.cl on 01 Nov 2023 02:25 next collapse

Maybe they shouldn’t have left the EU.

bernieecclestoned@sh.itjust.works on 01 Nov 2023 08:00 collapse

How would that affect a US company? Did you read the article or just kneejerk a brexit snark for internet points?

The ICO failed “not because this isn’t monitoring and not because in other circumstances, this might not be in breach of U.K. GDPR, but because it’s foreign law enforcement. It’s outside of the scope of European Union law so it doesn’t apply,” said James Moss, privacy and data protection partner at the law firm Bird & Bird.

alienanimals@lemmy.world on 01 Nov 2023 16:28 collapse

The EU has enough power to actually stand up to US companies. See: barrons.com/…/eu-bans-meta-s-use-of-personal-data…

bernieecclestoned@sh.itjust.works on 01 Nov 2023 22:24 collapse

Yes in the EU. Fuck all out if it. This company was not operating in Europe. The internet isn’t in Europe

ChairmanMeow@programming.dev on 01 Nov 2023 23:51 next collapse

EU laws apply to EU citizens, even on the internet. EU laws therefore tend to have surprisingly global effects, often called the ‘Brussels Effect’.

A US company harvesting data from EU citizens is subject to EU laws and can be fined for breaking them accordingly, for example.

bernieecclestoned@sh.itjust.works on 02 Nov 2023 07:36 collapse

The Brussels effect is a book.

Are you saying the lawyer who specialises in data and privacy is wrong?

The company was working for a foreign government, not commercially

You could like, read the article?

ChairmanMeow@programming.dev on 02 Nov 2023 12:02 collapse

Please read beyond the first Google result that you find: en.m.wikipedia.org/wiki/Brussels_effect

What a UK court has ruled based on EU law is not necessarily what an EU court would rule. They may well state that Clearview is a commercial partner of foreign law enforcement and therefore not protected (because it’s not the foreign law enforcement itself doing the data harvesting, but a commercial firm intending to make money).

Besides, the UK court clearly ruled that the law did apply, but that Clearview wasn’t in breach. This wasn’t a jurisdiction issue, as you asserted initially.

bernieecclestoned@sh.itjust.works on 02 Nov 2023 14:27 collapse

Yes, not in breach. The UK laws have not been changed since brexit. Start dealing in facts, not some conceptual Brussels effect which isn’t real other than REACH. The California effect is much larger.

The EU court can decide whatever the fuck it likes, it still has zero jurisdiction outside the EU.

Also, read the FUCKING article, the French also brought a case…

ChairmanMeow@programming.dev on 02 Nov 2023 23:30 collapse

I’m not talking about who is in breach or not, I argued about the jurisdiction of the court, which they ruled that the law does apply to Clearview (even if it wasn’t breached). It’s literally in the article, maybe you should read it?

Also, foreign companies saving any data on EU citizens who reside in the EU are subject to the GDPR, see this webpage set up by lawyers who actually know about this stuff:

“The law is structured in this manner so that it can safeguard the data and privacy rights of all internet users in the EU, regardless of where they browse online or purchase. Therefore, if you conduct business with EU citizens, you must comply with GDPR.” reciprocity.com/…/guide-to-gdpr-compliance-for-us….

And the French also brought a case, precisely because the law does apply and they have jurisdiction. So thanks for proving my point I guess?

bernieecclestoned@sh.itjust.works on 03 Nov 2023 02:48 collapse

Therefore, if you conduct business with EU citizens, you must comply with GDPR."

They weren’t conducting business, as the article says. If they were, the law, in the UK, which hasn’t changed, would apply. But they weren’t.

ChairmanMeow@programming.dev on 03 Nov 2023 08:02 collapse

Collecting personal data from EU citizens whilst they are in the EU is doing business in the EU, which is why the court ruled the law did apply. Did you read the article?

Clearview was not fined specifically because of a provision in that same law that says such data collection is permitted if they were doing this business on behalf of foreign law enforcement. So the UK court ruled the law does apply, but that Clearview wasn’t in breach. The UK court used EU law to determine Clearview was not in breach of EU law. The fine was not removed because Clearview is outside of their jurisdiction, which they’re simply not.

bernieecclestoned@sh.itjust.works on 03 Nov 2023 09:19 collapse

The judgment, issued by the three-member tribunal at the First-tier Tribunal, agreed with Clearview’s assertion that the ICO lacked jurisdiction in the case because the data processing in question was carried out on behalf of foreign government agencies.

Yeah, I’m going to take the judgement as the truth over your opinion of a fictional ECJ judgement, especially as the UK GDPR law is exactly the same as the EU one.

Please provide a link that shows otherwise

ChairmanMeow@programming.dev on 03 Nov 2023 17:09 collapse

I think I understand your confusion now.

For starters, we’re talking about the exact same ruling. And I think the snippet you posted will help me explain the issue.

GDPR is an EU law. It applies to all companies collecting data on EU citizens. If a company does, it falls under the jurisdiction of the GDPR and European (member state) courts (in this case a UK court). The UK court clearly held that it has jurisdiction, and could apply a penalty if Clearview were to be in breach of the law.

However, the court is not normally the one to hand out these fines. Instead, that is delegated to each country’s data protection agency, which in the UKs case is the ICO. Now, the exact conditions under which the ICO is allowed to fine a company is defined in the GDPR. It defines the jurisdiction of the data protection agencies.

One of those conditions states that the ICO is not to have jurisdiction over data collection done for foreign law enforcement (that’s usually covered by international treaties instead). The ICO for example can’t fine the FBI or NSA or something.

In the case of Clearview, the ICO argued that sinced Clearview is a private company, they were not covered by this exclusion. Clearview argues that the sole purpose of the data collection is for foreign law enforcement, so that they are covered by that exclusion. Note that Clearview didn’t argue that they can’t be fined because they’re not an EU company.

The court has ruled that yes, the GDPR applies to Clearview, but also that Clearview is covered by the exclusion outlined in the GDPR for foreign law enforcement, and thus that the ICO does not have the jurisdiction to fine them (again, note the difference between the jurisdiction of the law/court and that of the ICO). So GDPR applies, but Clearview is not in breach.

Hypothetically, had Clearview sold this data to other private companies instead of law enforcement agencies, then Clearview could not have argued that they were covered by the GDPR exemption, and thus the court would have ruled that the ICO does have the jurisdiction to fine them.

So in conclusion:

  • The EU can and has fined companies that are not in the EU for breaches of the GDPR.
  • The GDPR does apply to Clearview.
  • The UK court does have jurisdiction.
  • The ICO does not have jurisdiction on Clearview specifically, due to the aforementioned provision in the GDPR.
  • The ICO can not fine Clearview for this activity, for reasons outlined in the GDPR.

I hope this makes a bit more sense now.

[deleted] on 03 Nov 2023 20:20 next collapse

.

bernieecclestoned@sh.itjust.works on 03 Nov 2023 20:25 collapse

Ok, I think I get where you are coming from, but your conclusion still doesn’t argue the original point imo.

The GDPR law on the UK statute books is the exact same law as the EU one, it has not been amended. It’s just that the ECJ is no longer the highest court. The UK supreme court is again supreme following brexit.

Please provide an example of where the EU has taken action successfully against a conpany that has no base in the EU though. I’ve not seen anything like that bef

The original point was that the UK was somehow in a worse position because of brexit, this is not true. The UK is no weaker legally because of exiting the EU. The law is identical.

ChairmanMeow@programming.dev on 03 Nov 2023 20:44 collapse

Finding examples is difficult, as most articles tend to be about the big tech companies that have bases globally. But I can point you towards the legal mechanism the EU uses in the case of the US, which is the EU-US Data Protection Umbrella agreement, see here: “Law enforcement cooperation: EU-US Umbrella Agreement” commission.europa.eu/…/eu-us-data-transfers_en#:~…

This is an international agreement between the EU and the US. When the UK Brexited, I believe (but not 100% sure) they were no longer part of that agreement, meaning the UK lost the ability to efficiently go after companies without a base in the UK even if the law remained identical.

bernieecclestoned@sh.itjust.works on 03 Nov 2023 22:42 collapse

Ah ok. Yeah they just did a thing to replicate it recently. Not sure if that means there was a period when that ability was lost though

…org.uk/international-data-transfers-data-bridge

Honytawk@lemmy.zip on 02 Nov 2023 12:44 next collapse

No, but the internet in Europe is regulated by the EU. If that company wants to use it, they will be subjected to its laws or they will be blocked and fined.

ComradeWeebelo@lemm.ee on 02 Nov 2023 16:38 collapse

Why are you white knighting for big US companies? They don’t even know who you are outside of a personal identification number.

bernieecclestoned@sh.itjust.works on 02 Nov 2023 16:52 collapse

I’m not… Just replying to EU supremacists who think their laws rule the world, they don’t.

And who haven’t read the fucking article which clearly says other EU countries have tried taking them to court, so the fucking moron who said it wouldn’t have happened if the UK hadn’t left the EU is clearly talking shite, as are all the other fucking morons who upvoted them without reading it.

[End rant]

smegger@aussie.zone on 01 Nov 2023 03:10 next collapse

I’m not saying they’re in the right, but once you put stuff on the internet it’s near impossible to stop people doing what they want with it

realharo@lemm.ee on 01 Nov 2023 05:49 next collapse

That’s only true for people who don’t care about operating lawfully. A big company cannot practically afford to do the same things as some random fly under the radar niche community.

That being said, this is a US company, so that may be a problem.

burliman@lemm.ee on 01 Nov 2023 11:07 collapse

Exactly. My first thought when I read the headline? “Who cares.” How many human eyes have harvested the same images without consent. At least AI isn’t going to stalk you afterwards.

there1snospoon@ttrpg.network on 01 Nov 2023 15:55 collapse

… You do realize that AI is a tool which can make stalking monstrously easy?

burliman@lemm.ee on 01 Nov 2023 20:43 collapse

How does it do that? Ask it step by step instructions on how to stalk? If there is some other way in your mind, then I’d posit that AI also makes anti stalking monstrously easy. It’s a tool right?

hitmyspot@aussie.zone on 02 Nov 2023 02:18 collapse

Ask it to monitor all public cameras and notify when it finds the face you are stalking.

Ask it to analyze your known movement patterns based on public check ins and guess at future locations. Or ask it to monitor profile for check ons and give updates.

I’m not sure if your naive or argumentative.

foenkyfjutschah@programming.dev on 02 Nov 2023 08:15 next collapse

where are these tools available?

hitmyspot@aussie.zone on 02 Nov 2023 09:19 collapse

They aren’t as far as I’m aware. But a year ago, chatgpt didn’t exist either. It’s not a huge technological leap. Especially now it’s getting linked in to google and bing, which in turn are linked to your online presence with email, tracking etc.

The question is if they will be locked down well enough?

LinusOnLemmyWld@lemmy.world on 02 Nov 2023 09:07 collapse

or

AI, give me the list of everyone who is likely to stalk me based on their public profile

[deleted] on 02 Nov 2023 12:05 collapse

.

xenomor@lemmy.world on 01 Nov 2023 03:52 collapse

What? Someone downloaded photos that people willingly uploaded to a public network? You don’t say.

[deleted] on 01 Nov 2023 08:54 collapse

.

aidan@lemmy.world on 01 Nov 2023 09:14 next collapse

Except it’s not because these are photos people are choosing to post.

[deleted] on 01 Nov 2023 23:23 next collapse

.

foenkyfjutschah@programming.dev on 02 Nov 2023 08:18 collapse

as someone who crossed a tourist hotspot to get to the cantina for some years, my experience can’t confirm your statement.

aidan@lemmy.world on 02 Nov 2023 10:42 collapse

The problem there is someone taking photos of you without your consent, not AI analyzing the photos

Apollo2323@lemmy.dbzer0.com on 01 Nov 2023 11:22 next collapse

I am a privacy advocate but I will have to disagree with you. There is no such thing as privacy on public places , or in the public internet. If you upload a picture to the internet publicly then it is publicly available to everyone.

[deleted] on 01 Nov 2023 23:20 collapse

.

ianovic69@feddit.uk on 01 Nov 2023 11:43 collapse

if you went Out in public and paparazzi started haunting everyone out on the street, all the time, even though you are no-one famous.

While this is true, it’s important to understand that you have already given that right by just being out in public. If you can be viewed by the eyes of people, in a public place, then they can photograph you.

The difference is that if you can be obviously identified in the image and it is used commercially, you should be asked for a release or permission generally.

It’s a grey area in the context of scraping for AI, not because permission hasn’t been given, but because the technology is new and the laws haven’t been written yet.

The changes will happen but it takes time, particularly with a complex issue like this.

[deleted] on 01 Nov 2023 23:16 collapse

.