Clearview AI: Alignment in Global Enforcement Approach

14.03.2022

Investigations into US facial recognition firm Clearview AI by Canadian regulators and UK/Australia yeilded similar findings notwithstanding significant distinctions in legal regimes. Global enforcement cooperation may be viable even without global consenus on the legal framework for privacy regulation.

INTRODUCTION

Clearview AI (“Clearview”) was described as “the secretive company that might end privacy as we know it” by The New York Times. The U.S. based company developed a facial recognition App to allow law enforcement and others to run searches against a digital image of an individual’s face for likely matches. The company’s database of over three billion images of faces and corresponding biometric identifiers was populated by scraping public websites such as Facebook, YouTube, Instagram, Twitter and Venmo.

 

CANADA JOINT INVESTIGATION

In February 2021, the federal Office of the Privacy Commissioner of Canada, alongside the provincial privacy regulators in the Provinces of British Columbia, Alberta and Québec issued their investigative Report addressing compliance of the APP with their respective laws.

The private sector private sector laws are based on a consent model. The Commissioners determined that Clearview failed to obtain the requisite express, opt-in consent for the collection of data deemed “sensitive”. The Commissioners rejected that any exception to consent existed based on the data being “publicly available”, stressing that social media data is not public information as defined in the relevant legislation. The Commissioners further determined that Clearview’s data processing failed the critical gateway of “appropriate purpose” enshrined in the Canadian laws, emphasizing that Clearview’s for profit commercial purpose did not justify mass collection of images which posed a risk of real harm associated with potential investigation or prosecution.

 

UK-AUSTRALIA JOINT INVESTIGATION

The UK-Australia Joint Investigation yielded similar findings. The Australian decision cited Canada’s Report, and found that Clearview breached the law by failing to collect information fairly and lawfully, obtain consent before collecting sensitive information, and notify individuals. While the UK, unlike Canada, has a concept of legitimate basis for processing, the UK regulator ultimately reached very similar conclusions in its preliminary ruling , on the basis that Clearview AI lacked a “lawful reason” for collecting the information, and failed to process data in a way that people would be likely to expect or consider fair. Having reached similar conclusions (including by giving a ‘nod” to the findings or other global regulators), these investigations show the potential for future international cooperation as regulators advance common interests notwithstanding distinctions in legal regimes.

 

Article provided by INPLP member: Wendy Wagner (Gowling WLG LLP, Canada)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.