Skip to main content

Clearview AI: Alignment in Global Enforcement Approach


Investigations into US facial recognition firm Clearview AI by Canadian regulators and UK/Australia yeilded similar findings notwithstanding significant distinctions in legal regimes. Global enforcement cooperation may be viable even without global consenus on the legal framework for privacy regulation.


Clearview AI (“Clearview”) was described as “the secretive company that might end privacy as we know it” by The New York Times. The U.S. based company developed a facial recognition App to allow law enforcement and others to run searches against a digital image of an individual’s face for likely matches. The company’s database of over three billion images of faces and corresponding biometric identifiers was populated by scraping public websites such as Facebook, YouTube, Instagram, Twitter and Venmo.



In February 2021, the federal Office of the Privacy Commissioner of Canada, alongside the provincial privacy regulators in the Provinces of British Columbia, Alberta and Québec issued their investigative Report addressing compliance of the APP with their respective laws.

The private sector private sector laws are based on a consent model. The Commissioners determined that Clearview failed to obtain the requisite express, opt-in consent for the collection of data deemed “sensitive”. The Commissioners rejected that any exception to consent existed based on the data being “publicly available”, stressing that social media data is not public information as defined in the relevant legislation. The Commissioners further determined that Clearview’s data processing failed the critical gateway of “appropriate purpose” enshrined in the Canadian laws, emphasizing that Clearview’s for profit commercial purpose did not justify mass collection of images which posed a risk of real harm associated with potential investigation or prosecution.



The UK-Australia Joint Investigation yielded similar findings. The Australian decision cited Canada’s Report, and found that Clearview breached the law by failing to collect information fairly and lawfully, obtain consent before collecting sensitive information, and notify individuals. While the UK, unlike Canada, has a concept of legitimate basis for processing, the UK regulator ultimately reached very similar conclusions in its preliminary ruling , on the basis that Clearview AI lacked a “lawful reason” for collecting the information, and failed to process data in a way that people would be likely to expect or consider fair. Having reached similar conclusions (including by giving a ‘nod” to the findings or other global regulators), these investigations show the potential for future international cooperation as regulators advance common interests notwithstanding distinctions in legal regimes.


Article provided by INPLP member: Wendy Wagner (Gowling WLG LLP, Canada)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.