Clearview AI is a technology company headquartered in the United States that operates a facial recognition tool used by several private organizations and law enforcement agencies in Canada. The technology scrapes digital images from publicly accessible websites, including social media, such as Facebook, Twitter, Instagram, and YouTube, and populates its database with images to be used in facial recognition searches. Biometric identifiers were created for each image allowing users to run searches against Clearview’s database to identify matches. Importantly, Clearview did not obtain consent from the individuals whose images were collected, and also breached the terms of service of the platforms hosting the images.
On February 2, 2021 the Office of the Privacy Commissioner of Canada released a report into its findings surrounding the operations of Clearview AI. A joint investigation brought together the federal privacy watchdog with provincial counterparts in Quebec, British Columbia, and Alberta. The investigation examined whether Clearview AI had breached Canadian and provincial privacy laws through the collection, use, and disclosure of personal information. The report concluded that biometric information was collected without consent, that Canadian privacy rights were violated, and that Clearview AI failed to comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The findings should be taken into account by any business within Canada or with a “real and substantial connection” to Canada to ensure compliance with Canadian privacy standards and laws.
Geography Does not Constrain Canadian’s Privacy Rights
The first issue the privacy Commissioners had to contend with was whether they had jurisdiction over Clearview given that it was based outside of Canada. Clearview alleged that the legislation did not apply to it given that its services were not actively aimed at the Canadian market, it did not have servers in the country, and that images were collected indiscriminately from around the world.
The Commissioners rejected those claims, finding that Canadian privacy laws will apply to organizations outside of Canada if a “real and substantial connection” to Canada exists. Referring to A.T. v. Globe24h.com, the report reiterated that a physical presence in Canada is not required to establish a real and substantial connection. Rather, the threshold can be met so long as a significant amount of data is sourced from Canadians. The Commissioners are asserting that privacy rights must be observed regardless of where an organization is based, and if organizations or corporations collect information on Canadians with a view to operating outside of national borders, they will still engage Canada’s privacy laws.
Publicly Available Data Engages Privacy Interests
Canadian privacy laws require that organizations obtain consent for the collection, use, and disclosure of personal information unless an exception applies (For example, section 4.3 of PIPEDA’s Schedule 1). Clearview did not obtain consent from the individuals whose images were collected and argued that it was exempt from the requirement because the information was publicly available. Clearview relied on the “publicly available” exception set out in Section 1(e) of Regulations Specifying Publicly Available Information, which applies to information in a publication such as a book, newspaper, or magazine in print or electronic form that is available to the public. The Commissioners rejected the argument, finding that social media is distinct from the types of publications listed in the Regulations. In their view, following Clearview’s submission would lead to an overly broad exemption so that any publicly accessible content on websites could be deemed a publication. The report reiterates a distinction between information that is “publicly available” and that which is merely “publicly accessible”.
Personal Information Must be Used for Appropriate Purposes
Under section 5(3) of PIPEDA, an organization can collect, use, and disclose personal information “only for purposes that a reasonable person would consider are appropriate in the circumstances”. Clearview alleged that its use of the information was legitimate given potential benefits to law enforcement and national security. Clearview marketed its services to Canadian organizations with the RCMP and other law enforcement agencies using Clearview’s services. Once again, the report rejected Clearview’s argument, finding that while some information may have been used for law enforcement, the primary objective was to operate a commercial technology.
In evaluating whether the use of information is reasonable the Commissioners must complete a “balancing of interests” between the individual’s right to privacy and the commercial needs of an organization. The report accepted that facial biometric data is sensitive and unique to an individual. Clearview’s use of this data amounted to “mass identification and surveillance of individuals”. As Clearview’s use of the information was unrelated to the original purposes for which the images were posted and could be used to the detriment of individuals, Clearview’s use could not be deemed legitimate. Moreover, the images were obtained in a manner that contravened privacy laws.
Leveraging Data Within Canada’s Privacy Regime
The joint report recommended that Clearview stop offering facial recognition services in Canada, with Canada’s Privacy Commissioner, Daniel Therrien, alleging the company placed Canadians in a continuous “police lineup”. The Commissioners also recognized shortcomings in Canada’s privacy legislation. Therrien has noted that federal laws could be clearer that surveillance of this kind should be prohibited to preserve privacy rights.
What Does This Mean for Canadian Companies & Privacy Compliance?
This decision will be consequential to businesses in Canada that wish to exploit advances in biometric technologies as well as sectors that wish to leverage available data sources. The report also made clear that biometric information is particularly sensitive, and organizations may wish to refine their understanding of how data intersects with consent requirements. The condemnation aimed at Clearview AI is one example of privacy authorities pushing back against data surveillance, indicating how Canada’s legislation may evolve to balance privacy protection with ongoing innovation.
The business lawyers at GLG LLP in Toronto would be pleased to help you evaluate risk and guide your business through complex and changing legal obligations. Call the firm at 416-272-7557 or reach out to us online to schedule a consultation.