February 4, 2021 - Private Sector

Clearview AI’s Facial Recognition Tool Found to Violate Canadian Privacy Laws

Four Canadian privacy regulators have issued a much anticipated decision finding that the mass collection of images and biometric identifiers from publicly available sources by Clearview AI, Inc. violated federal and provincial privacy laws.

In a joint Report of Findings released yesterday by the Office of the Privacy Commissioner of Canada, the Information and Privacy Commissioner for British Columbia, the Information and Privacy Commissioner of Alberta, and the Commission d’accès à l’information du Québec, the four Canadian privacy regulators forcefully rejected Clearview’s assertions regarding the legitimacy of the facial recognition tool for law enforcement and investigative purposes.  

The decision is of relevance to organizations across a broad range of sectors, including those that are considering the use of biometric technologies as well as organizations looking to leverage publicly available data. Key privacy regulatory findings in the joint decision include:

  • Biometric information and facial recognition data is sensitive personal information which requires express consent to collect and use.
  • Individuals who post their images online do not reasonably expect that a third party such as Clearview would collect, use and disclose their images for identification purposes.
  • Information that is publicly posted on social media or other websites will not be covered by the “publicly available” exemption under privacy laws where that data is used for an unrelated purpose.
  • The mass collection of publicly available images and the creation of biometric identifiers was not for a reasonable purpose, and this could not be made lawful with the individual’s consent.  
  • The collection of publicly available images through the indiscriminate scraping of publicly accessible websites is not reasonable.

The decision is also notable because it considered the express consent requirements for biometric data under Quebec’s Act to Establish a Legal Framework for Information Technology, as well as the obligation to disclose the creation and existence of a database of biometric data to the Quebec Commission.

We will be providing further insight and analysis on our next AccessPrivacy Monthly Call. Our AccessPrivacy website also includes specific topic hubs on biometric data and publicly available data.