Clearview AI found in breach of Canadian privacy laws

The Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information and Privacy Commissioner of Alberta published the results of their investigation into whether Clearview AI has complied with Canadian federal and provincial privacy laws when collecting, using, and disclosing personal information through its facial recognition tool. Clearview maintains a database of over three billion images of faces and corresponding biometric identifiers collected from public websites, which Clearview has made available to law enforcement authorities (LEAs). The Canadian data protection authorities (DPAs) found that the company should have requested express consent from the individuals whose data was included in the database. The DPAs rejected the claim made by Clearview that the information was ‘publicly available’ and thus exempt from consent requirements. The authorities also found as inappropriate the mass collection of images and the creation of biometric facial recognition arrays by Clearview for the purpose of providing a service to LEAs, noting that such practices represent mass identification and surveillance of individuals by a private entity in a commercial activity. The company was therefore found in breach of privacy laws and was recommended to: (a) cease offering its facial recognition services in Canada; (b) cease the collection, use, and disclosure of images and biometric facial arrays collected from individuals in Canada; and (c) delete images and biometric facial arrays collected from individuals in Canada in its possession. As stated in the report, Clearview disagreed with the conclusions and did not indicate that it would follow the recommendations. This led the authorities to indicate that they ‘will pursue other actions available’ to them to ensure that privacy laws are respected. In January 2021, the Hamburg DPA reached similar conclusions, when it found that Clearview AI had to comply with the EU General Data Protection Regulation and ordered the company to delete the biometric profile of a complainant.