Australian privacy commissioner rules Clearview AI in breach of consumer privacy for facial recognition database and says multiple police forces are under investigation for employing the sensitive biometric database
Facial recognition companies and brands endeavouring to use the technology have been put on notice by Australia’s privacy commissioner after two rulings determined such data collection to be a breach of consumer privacy.
The Office of the Australian Information Commissioner (OAIC) today found Clearview AI in breach of privacy legislation for collecting images and biometric information from individuals in Australia without their consent and for the purposes of commercial gain.
A joint investigation launched into the US-based company by the Office of the Australian Information Commissioner (OAIC) and the UK Information Commission’s Officer (ICO) commenced in March 2020 found the facial recognition technology company to be in breach of privacy legislation for collecting Australians’ sensitive information without their consent.
US-based Clearview has created a facial recognition tool that’s been used to build a database of more than 3 billion images globally. To do this, the company takes data from social media platforms and publicly available websites, then links to where the photos appeared for identification purposes.
In its determination, the OAIC found Clearview collected personal information by unfair means, did not taking reasonable steps to notify individuals that such personal information was collected, and did not take reasonable steps to ensure information disclosed was accurate. Clearview was also found to have breached the Act by not taking reasonable steps to implement practices, procedures and systems to ensure compliance with Australian Privacy Principles.
The company had collected data between October 2019 and March 2020 as part of a trial of its facial recognition tool with several Australian police forces, which then used the images to conduct searches. The users included the Queensland, Victorian, South Australian and Australian Federal Police forces.
The OAIC is also finalising an investigation into the Australian Federal Police’s trial use of the technology and whether it complied with requirements under the Australian Government Agencies Privacy Code to assess and mitigate privacy risks.
Clearview has been ordered to cease collecting facial images and biometric templates, as well as destroy any Australian biometric information collected within 90 days.
In its determination, the OAIC noted the lack of transparency around Clearview AI’s collection practices, the monetisation of individuals’ data for a purpose entirely outside reasonable expectations, and the risk of adversity to people whose images are included in their database. Commissioner, Angelene Falk, also found the privacy impacts of the facial recognition system were not necessary, legitimate and proportionate against public interest benefits.
“The covert collection of this kind of sensitive information is unreasonably intrusive and unfair,” Falk stated. “It carries significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI’s database.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.