Clearview AI Faces The Wrath Of Canadian Privacy Commissioners In Connection With Its Exploitation Of Facial Recognition Technologies

• Published date: 11 February 2021
• Subject Matter: Privacy, Technology, Privacy Protection, New Technology
• Law Firm: Cassels
• Author: Ms Bernice Karn and Marco Ciarlariello

Introduction

On February 2, 2021 the Office of the Privacy Commissioner of Canada (OPC) and its provincial counterparts in Quebec, British Columbia, and Alberta¹ (collectively, the Offices) released a report setting out their findings following a joint investigation of the privacy implications relating to Clearview AI, Inc.'s (Clearview) exploitation of its facial recognition tool² (the Report). The purpose of the investigation was to determine whether Clearview's collection and exploitation of facial images and biometric identifiers using its facial recognition tool violated federal and provincial privacy laws applicable to private organizations³ and focused on the central questions of whether: (1) Clearview obtained the requisite consent to collect, use, and disclose personal information; and (2) Clearview had an appropriate purpose⁴ for the collection, use, and disclosure of such personal information.

In investigating these issues, the Offices examined a number of threshold topics, including the application and interpretation of Canadian privacy laws as they apply to private organizations located in foreign jurisdictions and the nature of what constitutes "publicly available" personal information in Canada. In this article, we focus on the Offices' examination of these topics and outline the ways in which the approach taken by the Offices may impact Canadian and foreign businesses that operate in Canada.

Clearview's Personal Information Processing Activities and the Offices' Findings

Clearview is a technology company headquartered in the United States that develops and commercializes facial recognition software. Clearview's technology collects images of faces from online sources (including social media), creates biometric identifiers for each image, and allows users of its software to compare images that they upload against those biometric identifiers to identify the source page of the image. The facial recognition data and biometric information that are collected and created by Clearview's software constitute personal information and are considered to be sensitive in nature. The Offices found that Clearview had amassed a database of more than three billion images of facial and related biometric identifiers, including those of individuals in Canada, some of whom were children.

The Offices determined that Clearview's collection, use, and disclosure of personal information of individuals in Canada violated the Personal Information Protection and Electronic Documents Act (PIPEDA) and the corresponding private sector privacy statutes in Alberta,⁵ British Columbia⁶ and Quebec⁷ on the grounds that: (1) Clearview engaged in the collection, use, and disclosure of personal information without obtaining the requisite consents; and (2) the collection, use, and disclosure of personal information by Clearview was for inappropriate purposes. In the view of the Offices, the purpose of Clearview's collection of images and creation of biometric facial recognition data was inappropriate on the grounds that Clearview's activities: (i) were unrelated to the purpose for which the images were originally posted on the internet; (ii) were to the detriment of the individuals whose images were captured; and (iii) created a risk of significant harm to the individuals.⁸ In reaching this determination, the Offices made clear that, even in circumstances in which an organization has obtained the consent of the individual to collect, use, or disclose that person's personal information, the purpose of such collection, use, or disclosure must still be for a purpose that a reasonable person would consider to be appropriate, reasonable, or legitimate in the circumstances within the meaning of applicable Canadian privacy laws.⁹

Clearview objected to the Offices' findings on a number of grounds, including:

• Clearview should not be required to seek consent of the individual data subjects on the grounds that the personal information it collected was "publicly available" within the meaning of applicable Canadian privacy laws;¹⁰
• Clearview's purposes for collection, use, and disclosure were appropriate because the software was intended for the sole and exclusive use of law enforcement, provided benefits to public...