Contact

Clearview AI’s Australian Privacy Breach

Published
18 Mar 2022
Read time
4 min read
Category
Opinion, Security
Graphic illustration vector showing facial recognition technology

Penalties have started to flow in for Clearview AI’s controversial scraping and use of the facial biometrics of social media users from around the world. Regulators in Canada, the UK, France, and Australia have all issued penalties or notices to the US company to stem its use of its facial recognition database. Meanwhile, Clearview AI maintains it has only ever used publicly available information. So, what laws are behind the Clearview AI Australian privacy breach? 

What Does Clearview AI do?  

Clearview AI is a facial recognition system that is designed to support law enforcement around the globe (wherever it is permitted). Facial recognition AIs are controversial generally for a multitude of reasons, including the risk of racial biases and the infringement of personal privacy through the expanding use of biometric data.  

Clearview AI’s facial recognition system is also controversial (and, in some jurisdictions, unlawful) as a result of how it amassed the three billion faces in its database – through social media scraping.  

Essentially, Clearview AI’s technology crawled Facebook, Instagram and other social media platforms and copied the biometric information available in the users’ public profiles. This was done without the consent of the individual users.  

Privacy Concerns Raised Around the Globe by Clearview AI’s Platform 

In February 2021, Canada’s Privacy Commissioner recommended that Clearview stop offering its facial recognition services to Canadian clients, including the RCMP which was a paying client. The privacy authority also recommended Clearview stop collecting images of individuals in Canada and delete the images and biometric information of individuals in Canada that it previously collected.  

Meanwhile, the Illinois arm of the American Civil Liberties Union filed a lawsuit against Clearview AI in May 2020 for breaches under the state’s Biometric Information Privacy Act. This lawsuit is still making its way through the courts 

In Europe, France’s watchdog ordered Clearview AI to cease collecting images of individuals in France and comply with the requests for erasure in December 2021. Italy’s privacy authority imposed a 20 million Euro fine and ordered the erasure of existing data and for Clearview AI to cease collecting data. The UK imposed a provisional £17 million fine, following a joint investigation with the OAIC. 

Clearview AI Australia Privacy Breach: The OAIC’s Findings 

The Office of the Australian Information Commissioner (OAIC) launched its joint investigation (with the UK’s ICO) into Clearview AI in July 2020. In November 2021, the OAIC determined that Clearview AI had breached Australian privacy laws by:  

  1. [failing] to comply with the requirement in Australian Privacy Principle (APP) 1.2… to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities, that will ensure compliance with the APPs. 
  2. [interfering] with the privacy of Australian individuals, by failing to: 
    • collect sensitive information about an individual only where the individual consented to the collection (and the information was reasonably necessary for one or more of the entity’s functions or activities) (APP 3.3) in circumstances where no other exceptions applied to permit the collection (APP 3.4) 
    • collect personal information only by lawful and fair means (APP 3.5) 
    • take such steps (if any) as were reasonable in the circumstances to notify individuals of the collection of personal information (APP 5) 
    • take such steps (if any) as were reasonable in the circumstances to ensure that the personal information it used or disclosed was, having regard to the purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant (APP 10.2). 

Outcome of the OAIC’s Clearview AI Investigation 

Following the investigation into Clearview AI in Australia, it was determined that the company:  

  • must not repeat or continue the acts and practices that were found to be in breach 
  • must cease to collect Scraped Images, Probe Images, Scraped Image Vectors, Probe Image Vectors and Opt-out Vectors (see paragraphs 5 and 11) from individuals in Australia in breach of APPs 3.3, 3.5 and 5 
  • within 90 days of the date of the determination, must destroy all the collected images referred to in the previous paragraph, and 
  • within 90 days of the date of this determination, must provide written confirmation to [the OAIC] that the respondent: 
    • is no longer collecting images and vectors… 
    • has destroyed images and vectors…. 

No financial penalty was imposed. (Read more about trends in the OAIC’s compensatory penalties here.) 

You can read the OAIC’s decisions and reasons here. 

See our coverage of other recent data breaches, including:  

Norway’s Grindr Fine 

Cambridge Analytica 

The Red Cross 

Concerned about your organisation’s data privacy and security? Reach out. 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.