Investigative findings
In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police lineup.” They found Clearview collected highly sensitive information without the knowledge or consent of individuals, and did so for an inappropriate purpose.
Several key considerations informed the commissioners’ views.
Online data is protected
Heavy reliance on social media, and on the readily available personal information found there, adds another wrinkle to this story.
Federal and provincial privacy laws have an exception to the consent requirement for personal information that is “publicly available.” While Clearview argued that the images they scraped were “publicly available” and exempt from the consent requirement, it used this information for a purpose unrelated to the purposes for which the information had originally been posted, and therefore could not rely on these exemptions.
In short, the fact that personal information is available online does not mean it can be used by anyone for any purpose he or she chooses, or that consent is not necessary. Personal information available online is still protected by privacy laws unless the specific requirements of the “publicly available” exception apply.
The meaning of the “publicly available” exception
The circumstances in which personal information is “publicly available” are specifically defined under privacy law. Clearview argued that the regulations should be broadly interpreted to include public blogs, social media and other public web content because these are like the “publications” specifically mentioned or prescribed in the regulations, and because a narrow interpretation would violate the constitutional right to freedom of expression.
The commissioners disagreed. They found that Clearview’s assertions, taken to their natural conclusion, would apply to all publicly accessible content on the Internet, regardless of who made the information available or why it was uploaded in the first place. They found this would undermine individuals’ ability to maintain control over their personal information at the source, and control is a fundamental component of privacy protection under the law. Nor was the information “public by law,” which would exempt it from Quebec’s private sector law, and no exception of this nature exists for other biometric data under Quebec’s information technology legislation.
Finally, Clearview failed to show how its constitutional freedom of expression rights had been violated. It failed to explain how its activities expressed a message relating to the pursuit of truth, participation in the community, individual self-fulfillment or human flourishing, which are the types of expression that the constitutional right to freedom of expression is meant to protect.
Purpose for data collection, use and disclosure
While the words used vary slightly, the federal, Alberta and BC privacy statutes require, as a minimum standard, that the purposes for the collection, use or disclosure must be reasonable and appropriate in the circumstances. Quebec law requires the organization to have a “serious and legitimate reason” to establish the file.
Clearview’s stated purpose for collecting images and creating the biometric database was to provide a service to law enforcement personnel, and be used by others via trial accounts. The commissioners found that such action was mass identification and surveillance of individuals by private entities in the course of a commercial activity. They concluded that this purpose was not appropriate, reasonable or legitimate in the circumstances, and thus contrary to applicable laws, because:
- the purpose was unrelated to the purposes for which those images were originally posted (for example, social media or professional networking);
- it will often be to the detriment of the individuals whose images are captured (investigation, potential prosecution, embarrassment); and
- it creates the risk of significant harm to those individuals, including misidentification or exposure to a data breach, where the vast majority of the individuals have never been and will never be implicated in a crime or identified as a potential witness.
Consent for data collection, use and disclosure
The commissioners also found that Clearview did not obtain the consent required for its collection, use, and disclosure of personal information. The guidelines for obtaining meaningful consent, as articulated by Canadian privacy commissions, generally require organizations to get express opt-in consent when:
- the information being collected, used or disclosed is sensitive;
- the collection, use, or disclosure is outside of the reasonable expectations of the individual; and/or
- the collection, use, or disclosure creates a meaningful residual risk of significant harm.
In addition to Clearview’s collection of images, its use to create new biometric information (in the form of digital representations for each image) constitutes a distinct and additional collection and use of personal information. Biometric information is sensitive in almost all circumstances and facial biometric information is particularly sensitive. Further, the collection for this purpose was beyond the individuals’ reasonable expectations and created a meaningful risk of harm. Accordingly, express consent was required.
Finally, Clearview violated Quebec law by failing to get express consent and failing to disclose its database of biometric characteristics and measurements to the commission in accordance with Quebec’s information technology legislation.
The failure to get express consent, or any form of consent, meant that the collection of personal information was carried out illegally.
Recommendations
Shortly after the investigation began, Clearview agreed to stop providing its services in the Canadian market. It stopped offering trial accounts to Canadian organizations and discontinued services to its only remaining Canadian subscriber, the RCMP, in July 2020.
The commissioners recommended that Clearview stop offering its biometric database services to Canadian clients, and confirm it would not resume offering services in Canada in the future, stop collecting images of individuals in Canada, and delete all previously collected images and biometric facial arrays of individuals in Canada.
Clearview expressly disagreed, and refused to accept the findings or implement the recommendations. As such, the commissioners indicated that, should Clearview maintain its refusal, they each intend to pursue other actions available under their respective acts to bring Clearview into compliance with Canadian laws.
A related Office of the Privacy Commissioner of Canada investigation into the RCMP’s use of Clearview’s facial recognition technology remains ongoing.
Takeaway
The rapid growth in reliance on biometrics for a variety of commercial and other purposes has raised significant concerns not only in Canada but also globally. The federal commissioner’s office, along with its provincial counterparts, have issued guidance for law enforcement agencies on using facial recognition technologies; however, the development, use, and commercialization of such technologies by businesses remains subject to scrutiny. The key point of tension in the guidance will be balancing business needs with individuals’ right to privacy. The commissioners’ clear intention to enforce Clearview’s compliance suggests these issues will continue to be on the front burner for quite some time to come.