The use of a facial recognition tool by Clearview AI, Inc. was the subject of an investigation by the privacy commissioners of Alberta, British Columbia and Quebec and their federal counterpart. In their jointly published report of findings, the privacy commissioners held that Clearview's treatment of Canadians' personal information was in breach of provincial and federal private sector privacy laws, and recommended that Clearview cease all operations in Canada and delete all images and biometric facial arrays about Canadians in its possession.
In the report, the privacy commissioners confirm their position on three important points that have application beyond the use of facial recognition:
Clearview's facial recognition tool functions in four sequential steps:
Clearview's customers include law enforcement agencies, such as the RCMP, and others in various jurisdictions. Clearview markets its tool as a service that allows law enforcement agencies to quickly identify people of interest. According to the report, Clearview has scraped billions of images and created biometric identifiers for tens of millions of Canadians, including children.
Speaking as one voice, the commissioners issued the report under each of their respective enabling statutes:
The main issues considered in the report were:
Regarding jurisdiction, Clearview took the position that the provincial and federal privacy commissioners did not have jurisdiction over Clearview because it was located outside of Canada, and did not target Canadians but rather collected information indiscriminately.
The report rejected Clearview's argument, holding that Clearview "actively marketed its services to Canadian organizations [and] publicly declared Canada to be part of its core market in statements to the media and its own promotional materials." The report also noted that Clearview provided services to the RCMP and other Canadian law enforcement entities, on both paid and free-trial arrangements. That Clearview "collects images without regard to geography does not preclude [the federal privacy commissioner's] jurisdiction when a substantial amount of its content is sourced from Canada."
On the matter of provincial jurisdiction, the report states that "Clearview's activities fall under the jurisdiction of both the [federal commissioner and those of] the provinces" because:
Clearview acknowledged that it made no attempts to obtain express consent from data subjects, and instead argued that there is no requirement to obtain consent to use personal information that is available on the internet since there could be no reasonable expectation of privacy. On the contrary, the report held that images uploaded to social media are not "publications" in the same way that images in a magazine might be, and are therefore not subject to the same exemptions for the consent requirement. Furthermore, the report noted that such images are not necessarily uploaded with all photographed individuals' consent, and would not be uploaded with the expectation that such images would be used for mass surveillance.
On differentiating social media websites from other "publications," the report noted that:
Furthermore, the privacy laws' designated sources of what is considered "publically available" did not include social media websites.
Clearview contended that its purpose was appropriate "[g]iven the significant potential benefit of Clearview's services to law enforcement and national security." The report rejected this argument, holding instead that "[a]lthough some of the information collected may have ultimately been used for law enforcement, Clearview's real purpose for the collection is a commercial for-profit enterprise and not law enforcement." Furthermore, the report stated that "Clearview fails to acknowledge: (i) the myriad of instances where false, or misapplied matches could result in reputational damage to individuals, and (ii) more fundamentally, the affront to individuals' privacy rights and broad-based harm inflicted on all members of society, who find themselves under continual mass surveillance by Clearview based on its indiscriminate scraping and processing of their facial images."
The report recommends that Clearview cease offering the facial recognition services in Canada, cease the collection, use and disclosure of images and biometric facial arrays collected from individuals in Canada, and delete images and biometric facial arrays collected from individuals in Canada. The report notes that Clearview has declined to accept the findings and recommendations, and indicates that the privacy commissioners "will pursue other actions available to us under our respective Acts to bring Clearview into compliance with federal and provincial privacy laws applicable to the private sector."
The report raised some further concerns that the commissioners felt were relevant but on which they do not specifically opine:
The report stated that part of its reason for publishing its findings was to "ensure that other organizations will have the benefit of our conclusions as they contemplate initiatives that may share certain similarities with Clearview's practices." In other words, the report is self-identifying as a warning shot.
This report should be considered in addition to the recent report by the federal privacy commissioner regarding the use of facial recognition technology by Cadillac Fairview (see Use of Facial Recognition Software for Customer Analytics). In that investigation, the federal privacy commissioner was similarly focused on the inherent sensitivity of facial recognition data and the requirement of express consent in order to collect, use or disclose that information.
Organizations that collect, use, or disclose biometric information, or collect, use or disclose information from disparate online sources, should consider the privacy commissioners' newly-emboldened posture on its commitment to bring organizations into compliance with Canadian privacy laws.
Bennett Jones would be pleased to help you navigate Canada's complex framework of privacy legislation. If you would like to learn more, we invite you to contact the authors of this post or other members of our Privacy & Data Protection group.