Clearview AI Faces The Wrath Of Canadian Privacy Commissioners In Connection With Its Exploitation Of Facial Recognition Technologies

Published date11 February 2021
Subject MatterPrivacy, Technology, Privacy Protection, New Technology
Law FirmCassels
AuthorMs Bernice Karn and Marco Ciarlariello


On February 2, 2021 the Office of the Privacy Commissioner of Canada (OPC) and its provincial counterparts in Quebec, British Columbia, and Alberta1 (collectively, the Offices) released a report setting out their findings following a joint investigation of the privacy implications relating to Clearview AI, Inc.'s (Clearview) exploitation of its facial recognition tool2 (the Report). The purpose of the investigation was to determine whether Clearview's collection and exploitation of facial images and biometric identifiers using its facial recognition tool violated federal and provincial privacy laws applicable to private organizations3 and focused on the central questions of whether: (1) Clearview obtained the requisite consent to collect, use, and disclose personal information; and (2) Clearview had an appropriate purpose4 for the collection, use, and disclosure of such personal information.

In investigating these issues, the Offices examined a number of threshold topics, including the application and interpretation of Canadian privacy laws as they apply to private organizations located in foreign jurisdictions and the nature of what constitutes "publicly available" personal information in Canada. In this article, we focus on the Offices' examination of these topics and outline the ways in which the approach taken by the Offices may impact Canadian and foreign businesses that operate in Canada.

Clearview's Personal Information Processing Activities and the Offices' Findings

Clearview is a technology company headquartered in the United States that develops and commercializes facial recognition software. Clearview's technology collects images of faces from online sources (including social media), creates biometric identifiers for each image, and allows users of its software to compare images that they upload against those biometric identifiers to identify the source page of the image. The facial recognition data and biometric information that are collected and created by Clearview's software constitute personal information and are considered to be sensitive in nature. The Offices found that Clearview had amassed a database of more than three billion images of facial and related biometric identifiers, including those of individuals in Canada, some of whom were children.

The Offices determined that Clearview's collection, use, and disclosure of personal information of individuals in Canada violated the Personal Information Protection and Electronic Documents Act (PIPEDA) and the corresponding private sector privacy statutes in Alberta,5 British Columbia6 and Quebec7 on the grounds that: (1) Clearview engaged in the collection, use, and disclosure of personal information without obtaining the requisite consents; and (2) the collection, use, and disclosure of personal information by Clearview was for inappropriate purposes. In the view of the Offices, the purpose of Clearview's collection of images and creation of biometric facial recognition data was inappropriate on the grounds that Clearview's activities: (i) were unrelated to the purpose for which the images were originally posted on the internet; (ii) were to the detriment of the individuals whose images were captured; and (iii) created a risk of significant harm to the individuals.8 In reaching this determination, the Offices made clear that, even in circumstances in which an organization has obtained the consent of the individual to collect, use, or disclose that person's personal information, the purpose of such collection, use, or disclosure must still be for a purpose that a reasonable person would consider to be appropriate, reasonable, or legitimate in the circumstances within the meaning of applicable Canadian privacy laws.9

Clearview objected to the Offices' findings on a number of grounds, including:

  • Clearview should not be required to seek consent of the individual data subjects on the grounds that the personal information it collected was "publicly available" within the meaning of applicable Canadian privacy laws;10
  • Clearview's purposes for collection, use, and disclosure were appropriate because the software was intended for the sole and exclusive use of law enforcement, provided benefits to public...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT