Exceptions From Consent In PIPEDA: Facial Recognition, Privacy And Clearview

• Published date: 11 February 2021
• Subject Matter: Government, Public Sector, Media, Telecoms, IT, Entertainment, Privacy, Data Protection, Privacy Protection, Constitutional & Administrative Law, Social Media
• Law Firm: McCarthy Tétrault LLP
• Author: Mr Barry Sookman, Daniel G. C. Glover and Jade Buchanan

PIPEDA requires consent for the collection, use and disclosure of personal information. PIPEDA also has many exceptions where consents are not required. These exceptions are part of the balance in PIPEDA and enable uses of public information for beneficial purposes that are in the public interest. The collection of photos from online sources by Clearview AI, Inc. ("Clearview") using facial recognition software to facilitate use by law enforcement was recently found to be illegal following a joint investigation by the federal Office of the Privacy Commissioner of Canada ("OPC" or the "Commissioner") and privacy Commissioners from Quebec ("CAI"), Alberta ("OIPC AB"), and British Columbia ("OIPC BC") (collectively, the "Offices"). In making the findings in PIPEDA Report of Findings #2021-001 ("Findings"), the Offices concluded that exceptions from consent in PIPEDA must be narrowly construed and that the publicly available exemption set out in the Regulations Specifying Publicly Available Information under PIPEDA (the "Regulations") do not apply to websites and social media sites.

The conclusions that exceptions from consent must be construed narrowly and that the Regulations do not apply to websites and social media sites have significant implications for the interpretation of PIPEDA and provincial privacy laws as a whole and the Regulations in particular. These conclusions in the Findings are not supported by the authorities relied on by the Offices and deserve close scrutiny.

Background

The Offices conducted a joint investigation to examine whether Clearview's collection, use and disclosure of personal information using its facial recognition tool complied with federal and provincial privacy laws applicable to the private sector.

Clearview's facial recognition tool "scrapes" images of faces and associated data from publicly accessible online sources including public websites and social media sites such as Facebook, YouTube, Instagram, Twitter and Venmo. It stores that information in its database which has over 3 billion images including images of Canadians and images of children. It creates biometric identifiers for each image and allows users to upload an image to match to images in the database. If there is a match, Clearview provides a list of results containing matching images and metadata. If a user clicks on the results the user is directed to the original source page of the image.

Clearview's tool is intended for use for law enforcement and investigative purposes. A variety of organizations, including private sector entities, used this service via a free-trial service. These included the RCMP and other Canadian police forces.

Following the commencement of the joint investigation, Clearview left the Canadian market. Clearview did not, however, promise to delete images of Canadians from its database on a permanent basis.

Findings of the Offices

Clearview did not seek consent from the individuals whose images were collected. Nor did Clearview obtain authorization to scrape the images from the owners of the major sites from which the images were collected. It relied on the "publicly available" exception in the Regulations and in the corresponding provincial privacy laws. Clearview claimed that neither PIPEDA nor the provincial privacy acts applied to it because it did not have servers in Canada. The Offices rejected both of these arguments. They also found that the collection of individuals' images was for a purpose that reasonable persons would find to be inappropriate and for that reason also contravened applicable privacy laws.

The Findings of the OPC and other Offices are summarized below and are followed by our comments. For the sake of brevity, we focus primarily on the holdings made under PIPEDA.

The jurisdictional challenge

The Offices had little trouble concluding that PIPEDA and the provincial privacy laws applied to Clearview. Relying on prior cases, they applied the real and substantial connection test finding that PIPEDA applied to Clearview's collection, use and disclosure of the images even though its servers were outside of Canada. In coming to this conclusion, they considered the relevant connecting factors "including the factors set out in A.T. v. Globe24h: (1) the location of the target audience of the website, (2) the source of the content on the website, (3) the location of the website operator, and (4) the location of the host server."¹

Did Clearview obtain requisite consents?

Clearview did not obtain any express consents from individuals for its collection, use and disclosure of the images. It took the position that no consent was necessary for its facial recognition harvesting of images in reliance on the "publicly available" exception prescribed by Section 1(e) of the Regulations. This exception from consent applies to the following class of information: "personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information."

The Offices, relying on the OPC's prior finding in PIPEDA Report of Findings #2018-002 ("Profile Technology"), rejected that information on public websites and social media sites was publicly available within the meaning of the Regulations. The Findings were founded on two interpretations of the Regulations. First, public websites and social media sites are not eligible "publications" within the meaning of the Regulations. Second, Clearview could not rely on Section 1(e) because its use of the images was not for the purpose for which they were made publicly available.² According to the Findings, "Information from sources such as social media or professional profiles, collected from public websites and then used for an unrelated purpose, does not fall under the 'publicly available' exception of PIPEDA."

The Findings contain several reasons to support these conclusions.

First, the Offices concluded that the Regulations, as exceptions from consent, should be interpreted narrowly. The Findings state:

When interpreting the Regulations, we note that as privacy legislation is considered by the courts to be quasi-constitutional, the rights accorded under them should be given a broad, purposive and liberal interpretation, and restrictions on those rights should be interpreted narrowly.

Since the Regulations create an exemption to a core privacy protection - the requirement for collection, use and disclosure of personal information to be with consent - they should be interpreted narrowly. With this in mind, we do not accept Clearview's arguments in favour of a wider "plain language" interpretation.

Second, social media sites are not expressly specified as a publication within the meaning of Section 1(e) of the Regulations:

... social media, from which Clearview obtained a significant proportion of the images in its database, is not specified as a "publication" in the language of the PIPEDA regulations.

Third, social media web pages differ from the specific examples of the types of publications that are listed in the Regulations:

It is the OPC's view that social media web pages differ substantially from the sources identified in the PIPEDA regulations. As the OPC previously found in the matter of Profile Technology, there are a number of key differences between online information sources such as social media, and the examples of "publications" included in 1(e):

1. social media web pages contain dynamic content, with new information being added, changed or deleted in real-time; and
2. individuals exercise a level of direct control, a fundamental component of privacy protection, over their social media accounts and over accessibility to associated content over time - for example, via privacy settings.

Fourth, the acceptance of Clearview's interpretation of PIPEDA would create too broad an exception to consent under PIPEDA:

Ultimately, Clearview's assertions that publication necessarily includes "public blogs, public social media or any other public websites," taken to their natural conclusion, imply that all publicly accessible content on the Internet is a publication in some form or other. This would create an extremely broad exemption that undermines the control users may otherwise maintain over their information at the source. In this regard, it has been noted that control is a fundamental component of privacy protection.

Fifth, for at least some of the images, the individuals may not have provided the information:

Even if such web pages were to be considered "publications" in the meaning of the Regulations, which we do not accept, s. 1(e) of the PIPEDA Regulations and s. 7(e) of the PIPA AB Regulations specify that the exception only applies "where the individual has provided the information," or where "it is reasonable to assume that the individual that the information is about provided that information," respectively. As Clearview engages in mass collection of images through automated tools, it is inevitable that in many instances, the images would have instead been uploaded by a third party.

Was Clearview collecting, using or disclosing personal information for an appropriate purpose?

Under Section 5(3) of PIPEDA, "An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances." The Findings found that "Clearview's purpose for collecting, using or disclosing personal information was neither...