Clearview AI is a technology company headquartered in the United States that operates a facial recognition tool used by several private organizations and law enforcement agencies in Canada. The technology scrapes digital images from publicly accessible websites, including social media, such as Facebook, Twitter, Instagram, and YouTube, and populates its database with images to be used in facial recognition searches. Biometric identifiers were created for each image allowing users to run searches against Clearview\u2019s database to identify matches. Importantly, Clearview did not obtain consent from the individuals whose images were collected, and also breached the terms of service of the platforms hosting the images.<\/p>\n
On February 2, 2021 the Office of the Privacy Commissioner of Canada released a report<\/a> into its findings surrounding the operations of Clearview AI. A joint investigation brought together the federal privacy watchdog with provincial counterparts in Quebec, British Columbia, and Alberta. The investigation examined whether Clearview AI had breached Canadian and provincial privacy laws through the collection, use, and disclosure of personal information. The report concluded that biometric information was collected without consent, that Canadian privacy rights were violated, and that Clearview AI failed to comply with Canada\u2019s Personal Information Protection and Electronic Documents Act <\/em>(PIPEDA). The findings should be taken into account by any business within Canada or with a “real and substantial connection” to Canada to ensure compliance with Canadian privacy standards and laws.<\/p>\n The first issue the privacy Commissioners had to contend with was whether they had jurisdiction over Clearview given that it was based outside of Canada. Clearview alleged that the legislation did not apply to it given that its services were not actively aimed at the Canadian market, it did not have servers in the country, and that images were collected indiscriminately from around the world.<\/p>\n The Commissioners rejected those claims, finding that Canadian privacy laws will apply to organizations outside of Canada if a \u201creal and substantial connection\u201d to Canada exists. Referring to A.T. v. Globe24h.com<\/em>, the report reiterated that a physical presence in Canada is not required to establish a real and substantial connection. Rather, the threshold can be met so long as a significant amount of data is sourced from Canadians. The Commissioners are asserting that privacy rights must be observed regardless of where an organization is based, and if organizations or corporations collect information on Canadians with a view to operating outside of national borders, they will still engage Canada\u2019s privacy laws.<\/p>\n Canadian privacy laws require that organizations obtain consent for the collection, use, and disclosure of personal information unless an exception applies (For example, section 4.3 of PIPEDA\u2019s Schedule 1). Clearview did not obtain consent from the individuals whose images were collected and argued that it was exempt from the requirement because the information was publicly available. Clearview relied on the \u201cpublicly available\u201d exception set out in Section 1(e) of Regulations Specifying Publicly Available Information,<\/em> which applies to information in a publication such as a book, newspaper, or magazine in print or electronic form that is available to the public. The Commissioners rejected the argument, finding that social media is distinct from the types of publications listed in the Regulations. In their view, following Clearview\u2019s submission would lead to an overly broad exemption so that any publicly accessible content on websites could be deemed a publication. The report reiterates a distinction between information that is \u201cpublicly available\u201d and that which is merely \u201cpublicly accessible\u201d.<\/p>\n Under section 5(3) of PIPEDA, an organization can collect, use, and disclose personal information \u201conly for purposes that a reasonable person would consider are appropriate in the circumstances\u201d. Clearview alleged that its use of the information was legitimate given potential benefits to law enforcement and national security. Clearview marketed its services to Canadian organizations with the RCMP and other law enforcement agencies using Clearview\u2019s services. Once again, the report rejected Clearview\u2019s argument, finding that while some information may have been used for law enforcement, the primary objective was to operate a commercial technology.<\/p>\n In evaluating whether the use of information is reasonable the Commissioners must complete a \u201cbalancing of interests\u201d between the individual\u2019s right to privacy and the commercial needs of an organization. The report accepted that facial biometric data is sensitive and unique to an individual. Clearview\u2019s use of this data amounted to \u201cmass identification and surveillance of individuals\u201d. As Clearview\u2019s use of the information was unrelated to the original purposes for which the images were posted and could be used to the detriment of individuals, Clearview\u2019s use could not be deemed legitimate. Moreover, the images were obtained in a manner that contravened privacy laws.<\/p>\n The joint report recommended that Clearview stop offering facial recognition services in Canada, with Canada\u2019s Privacy Commissioner, Daniel Therrien, alleging the company placed Canadians in a continuous \u201cpolice lineup\u201d. The Commissioners also recognized shortcomings in Canada\u2019s privacy legislation. Therrien has noted that federal laws could be clearer that surveillance of this kind should be prohibited to preserve privacy rights.<\/p>\n This decision will be consequential to businesses<\/a> in Canada that wish to exploit advances in biometric technologies as well as sectors that wish to leverage available data sources. The report also made clear that biometric information is particularly sensitive, and organizations may wish to refine their understanding of how data intersects with consent requirements. The condemnation aimed at Clearview AI is one example of privacy authorities pushing back against data surveillance, indicating how Canada\u2019s legislation may evolve to balance privacy protection with ongoing innovation.<\/p>\n The business lawyers<\/a> at GLG LLP<\/strong> in Toronto would be pleased to help you evaluate risk and guide your business through complex and changing legal obligations. Call the firm at 416-272-7557 <\/strong>or reach out to us online<\/a> to schedule a consultation.<\/p>\n","protected":false},"excerpt":{"rendered":"Clearview AI is a technology company headquartered in the United States that operates a facial recognition tool used by several private organizations…","protected":false},"author":4,"featured_media":636,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[],"yoast_head":"\nGeography Does not Constrain Canadian\u2019s Privacy Rights<\/h2>\n
Publicly Available Data Engages Privacy Interests<\/h2>\n
Personal Information Must be Used for Appropriate Purposes<\/h2>\n
Leveraging Data Within Canada\u2019s Privacy Regime<\/h2>\n
What Does This Mean for Canadian Companies & Privacy Compliance?<\/h2>\n