INTRODUCTION
Clearview AI (“Clearview”) was described as “the secretive company that might end privacy as we know it” by The New York Times. The U.S. based company developed a facial recognition App to allow law enforcement and others to run searches against a digital image of an individual’s face for likely matches. The company’s database of over three billion images of faces and corresponding biometric identifiers was populated by scraping public websites such as Facebook, YouTube, Instagram, Twitter and Venmo.
CANADA JOINT INVESTIGATION
In February 2021, the federal Office of the Privacy Commissioner of Canada, alongside the provincial privacy regulators in the Provinces of British Columbia, Alberta and Québec issued their investigative Report addressing compliance of the APP with their respective laws.
The private sector private sector laws are based on a consent model. The Commissioners determined that Clearview failed to obtain the requisite express, opt-in consent for the collection of data deemed “sensitive”. The Commissioners rejected that any exception to consent existed based on the data being “publicly available”, stressing that social media data is not public information as defined in the relevant legislation. The Commissioners further determined that Clearview’s data processing failed the critical gateway of “appropriate purpose” enshrined in the Canadian laws, emphasizing that Clearview’s for profit commercial purpose did not justify mass collection of images which posed a risk of real harm associated with potential investigation or prosecution.
UK-AUSTRALIA JOINT INVESTIGATION
The UK-Australia Joint Investigation yielded similar findings. The Australian decision cited Canada’s Report, and found that Clearview breached the law by failing to collect information fairly and lawfully, obtain consent before collecting sensitive information, and notify individuals. While the UK, unlike Canada, has a concept of legitimate basis for processing, the UK regulator ultimately reached very similar conclusions in its preliminary ruling , on the basis that Clearview AI lacked a “lawful reason” for collecting the information, and failed to process data in a way that people would be likely to expect or consider fair. Having reached similar conclusions (including by giving a ‘nod” to the findings or other global regulators), these investigations show the potential for future international cooperation as regulators advance common interests notwithstanding distinctions in legal regimes.
Article provided by INPLP member: Wendy Wagner (Gowling WLG LLP, Canada)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)