Written By Stephen Burns, Ruth Promislow, Sebastien Gittens and Kees de Ridder
The use of a facial recognition tool by Clearview AI, Inc. was the subject of an investigation by the privacy commissioners of Alberta, British Columbia and Quebec and their federal counterpart. In their jointly published report of findings, the privacy commissioners held that Clearview's treatment of Canadians' personal information was in breach of provincial and federal private sector privacy laws, and recommended that Clearview cease all operations in Canada and delete all images and biometric facial arrays about Canadians in its possession.
In the report, the privacy commissioners confirm their position on three important points that have application beyond the use of facial recognition:
- biometric information is inherently sensitive;
- the privacy legislation has extra-territorial application; and
- information that is available on the internet, such as through social media, is not necessarily exempt from consent requirements under privacy legislation.
Clearview's facial recognition tool functions in four sequential steps:
- downloading images of faces and associated data from online sources (including social media sites);
- creating biometric identifiers for each image;
- allowing users to upload a target image; and
- providing a list of images and metadata, including a link to the source, of images that Clearview's software determines are similar to the target.
Clearview's customers include law enforcement agencies, such as the RCMP, and others in various jurisdictions. Clearview markets its tool as a service that allows law enforcement agencies to quickly identify people of interest. According to the report, Clearview has scraped billions of images and created biometric identifiers for tens of millions of Canadians, including children.
Speaking as one voice, the commissioners issued the report under each of their respective enabling statutes:
- Canada's Personal Information Protection and Electronic Documents Act;
- Quebec's Act Respecting the Protection of Personal Information in the Private Sector, and Act to Establish a Legal Framework for Information Technology;
- British Columbia's Personal Information Protection Act; and
- Alberta's Personal Information Protection Act.
The main issues considered in the report were:
- whether the federal and provincial commissioners had jurisdiction to consider the issue;
- whether Clearview was required to obtain consent for its treatment of personal information, and if so, whether it did; and
- whether Clearview treated personal information for a reasonable purpose.
Regarding jurisdiction, Clearview took the position that the provincial and federal privacy commissioners did not have jurisdiction over Clearview because it was located outside of Canada, and did not target Canadians but rather collected information indiscriminately.
The report rejected Clearview's argument, holding that Clearview "actively marketed its services to Canadian organizations [and] publicly declared Canada to be part of its core market in statements to the media and its own promotional materials." The report also noted that Clearview provided services to the RCMP and other Canadian law enforcement entities, on both paid and free-trial arrangements. That Clearview "collects images without regard to geography does not preclude [the federal privacy commissioner's] jurisdiction when a substantial amount of its content is sourced from Canada."
On the matter of provincial jurisdiction, the report states that "Clearview's activities fall under the jurisdiction of both the [federal commissioner and those of] the provinces" because:
- "Clearview's practice of indiscriminate scraping has undoubtedly resulted in the collection of the personal information of individuals within Quebec, Alberta and British Columbia;" and
- "provincial and municipal law enforcement agencies located within the provinces and subject to provincial oversight were targeted and used trial accounts of Clearview's software."
Clearview acknowledged that it made no attempts to obtain express consent from data subjects, and instead argued that there is no requirement to obtain consent to use personal information that is available on the internet since there could be no reasonable expectation of privacy. On the contrary, the report held that images uploaded to social media are not "publications" in the same way that images in a magazine might be, and are therefore not subject to the same exemptions for the consent requirement. Furthermore, the report noted that such images are not necessarily uploaded with all photographed individuals' consent, and would not be uploaded with the expectation that such images would be used for mass surveillance.
On differentiating social media websites from other "publications," the report noted that:
- social media sites are dynamic, with information being added, changed, and deleted in real time; and
- individuals exercise a level of direct control over accessibility of content over time.
Furthermore, the privacy laws' designated sources of what is considered "publically available" did not include social media websites.
Clearview contended that its purpose was appropriate "[g]iven the significant potential benefit of Clearview's services to law enforcement and national security." The report rejected this argument, holding instead that "[a]lthough some of the information collected may have ultimately been used for law enforcement, Clearview's real purpose for the collection is a commercial for-profit enterprise and not law enforcement." Furthermore, the report stated that "Clearview fails to acknowledge: (i) the myriad of instances where false, or misapplied matches could result in reputational damage to individuals, and (ii) more fundamentally, the affront to individuals' privacy rights and broad-based harm inflicted on all members of society, who find themselves under continual mass surveillance by Clearview based on its indiscriminate scraping and processing of their facial images."
The report recommends that Clearview cease offering the facial recognition services in Canada, cease the collection, use and disclosure of images and biometric facial arrays collected from individuals in Canada, and delete images and biometric facial arrays collected from individuals in Canada. The report notes that Clearview has declined to accept the findings and recommendations, and indicates that the privacy commissioners "will pursue other actions available to us under our respective Acts to bring Clearview into compliance with federal and provincial privacy laws applicable to the private sector."
The report raised some further concerns that the commissioners felt were relevant but on which they do not specifically opine:
- There are concerns over the efficacy and accuracy of facial recognition technologies, including Clearview's and others. According to the report, facial recognition technologies disproportionately misidentify faces of people of colour, and especially women of colour, by a factor of 10 to 100 times, which could result in discriminatory treatment.
- False positive matches could pose great risk of harm to individuals, especially in a law-enforcement context.
- Clearview has received cease and desist letters from Google, Facebook, Twitter, and LinkedIn regarding Clearview's practice of collecting information in violation of terms of service.
- Clearview's systems have been breached before, including two occasions that it has publicly acknowledged: in February 2020 when its client list was leaked and in April 2020 when its source code and pilot project video were obtained and partially leaked.
The report stated that part of its reason for publishing its findings was to "ensure that other organizations will have the benefit of our conclusions as they contemplate initiatives that may share certain similarities with Clearview's practices." In other words, the report is self-identifying as a warning shot.
This report should be considered in addition to the recent report by the federal privacy commissioner regarding the use of facial recognition technology by Cadillac Fairview (see Use of Facial Recognition Software for Customer Analytics). In that investigation, the federal privacy commissioner was similarly focused on the inherent sensitivity of facial recognition data and the requirement of express consent in order to collect, use or disclose that information.
Organizations that collect, use, or disclose biometric information, or collect, use or disclose information from disparate online sources, should consider the privacy commissioners' newly-emboldened posture on its commitment to bring organizations into compliance with Canadian privacy laws.Bennett Jones would be pleased to help you navigate Canada's complex framework of privacy legislation. If you would like to learn more, we invite you to contact the authors of this post or other members of our Privacy & Data Protection group.