Clearview AI’s Australian Privacy Breach
Penalties have started to flow in for Clearview AI’s controversial scraping and use of the facial biometrics of social media users from around the world. Regulators in Canada, the UK, France, and Australia have all issued penalties or notices to the US company to stem its use of its facial recognition database. Meanwhile, Clearview AI maintains it has only ever used publicly available information. So, what laws are behind the Clearview AI Australian privacy breach?
What Does Clearview AI do?
Clearview AI is a facial recognition system that is designed to support law enforcement around the globe (wherever it is permitted). Facial recognition AIs are controversial generally for a multitude of reasons, including the risk of racial biases and the infringement of personal privacy through the expanding use of biometric data.
Clearview AI’s facial recognition system is also controversial (and, in some jurisdictions, unlawful) as a result of how it amassed the three billion faces in its database – through social media scraping.
Essentially, Clearview AI’s technology crawled Facebook, Instagram and other social media platforms and copied the biometric information available in the users’ public profiles. This was done without the consent of the individual users.
Privacy Concerns Raised Around the Globe by Clearview AI’s Platform
In February 2021, Canada’s Privacy Commissioner recommended that Clearview stop offering its facial recognition services to Canadian clients, including the RCMP which was a paying client. The privacy authority also recommended Clearview stop collecting images of individuals in Canada and delete the images and biometric information of individuals in Canada that it previously collected.
Meanwhile, the Illinois arm of the American Civil Liberties Union filed a lawsuit against Clearview AI in May 2020 for breaches under the state’s Biometric Information Privacy Act. This lawsuit is still making its way through the courts.
In Europe, France’s watchdog ordered Clearview AI to cease collecting images of individuals in France and comply with the requests for erasure in December 2021. Italy’s privacy authority imposed a 20 million Euro fine and ordered the erasure of existing data and for Clearview AI to cease collecting data. The UK imposed a provisional £17 million fine, following a joint investigation with the OAIC.
Clearview AI Australia Privacy Breach: The OAIC’s Findings
The Office of the Australian Information Commissioner (OAIC) launched its joint investigation (with the UK’s ICO) into Clearview AI in July 2020. In November 2021, the OAIC determined that Clearview AI had breached Australian privacy laws by:
- [failing] to comply with the requirement in Australian Privacy Principle (APP) 1.2… to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities, that will ensure compliance with the APPs.
- [interfering] with the privacy of Australian individuals, by failing to:
- collect sensitive information about an individual only where the individual consented to the collection (and the information was reasonably necessary for one or more of the entity’s functions or activities) (APP 3.3) in circumstances where no other exceptions applied to permit the collection (APP 3.4)
- collect personal information only by lawful and fair means (APP 3.5)
- take such steps (if any) as were reasonable in the circumstances to notify individuals of the collection of personal information (APP 5)
- take such steps (if any) as were reasonable in the circumstances to ensure that the personal information it used or disclosed was, having regard to the purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant (APP 10.2).
Outcome of the OAIC’s Clearview AI Investigation
Following the investigation into Clearview AI in Australia, it was determined that the company:
- must not repeat or continue the acts and practices that were found to be in breach
- must cease to collect Scraped Images, Probe Images, Scraped Image Vectors, Probe Image Vectors and Opt-out Vectors (see paragraphs 5 and 11) from individuals in Australia in breach of APPs 3.3, 3.5 and 5
- within 90 days of the date of the determination, must destroy all the collected images referred to in the previous paragraph, and
- within 90 days of the date of this determination, must provide written confirmation to [the OAIC] that the respondent:
- is no longer collecting images and vectors…
- has destroyed images and vectors….
No financial penalty was imposed. (Read more about trends in the OAIC’s compensatory penalties here.)
See our coverage of other recent data breaches, including:
Concerned about your organisation’s data privacy and security? Reach out.