Controversial facial recognition company Clearview AI has been ordered to delete all data belonging to UK residents by the country’s privacy watchdog, the Information Commissioner’s Office (ICO). The ICO also fined Clearview £7.5 million ($9.4 million) for failing to follow the UK’s data protection laws.

It’s the fourth time Clearview has been ordered to delete national data in this way, following similar orders and fines issued in Australia, France, and Italy.

Clearview claims its facial recognition database contains some 20 billion images scraped from public sources like Facebook and Instagram. It previously sold its software to an array of private users and businesses, but recently agreed to restrict itself in the US to selling to federal agencies and police departments following a lawsuit brought by the American Civil Liberties Union (ACLU).

In the UK, Clearview AI’s services have been used in the past by law enforcement customers including the Metropolitan Police, Ministry of Defence, and National Crime Agency. ICO says the company “no longer offers its services to UK organisations,” but notes that the data it has scraped from UK residents can still be used by customers in other countries.

In a press statement, the UK’s Information Commissioner John Edwards said Clearview had likely collected a great deal of information on UK residents. “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable,” said Edwards. “That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

The ICO said Clearview violated several tenets of UK data protection law, including failing to use data in a way that is “fair and transparent” (given that residents’ images were scraped without their knowledge or consent), “failing to have a lawful reason for collecting people’s information,” and “failing to have a process in place to stop the data being retained indefinitely.”

However, although ICO has issued a fine against Clearview and ordered the company to delete UK data, it’s unclear how this might be enforced if Clearview has no business or customers in the country to sanction. In response to a similar deletion order and fine issued in Italy under EU law earlier this year, Clearview’s CEO Hoan Ton-That responded that the US-based company was simply not subject to EU legislation. We’ve reached out to both the ICO and Clearview for further clarity on these points.