Canadian court upholds ruling that Clearview violated data privacy law
The controversial company Clearview AI must not collect images of residents of the Canadian province of British Columbia. The province’s Supreme Court has issued a ruling that upholds a 2021 decision by British Columbia’s Information and Privacy Commissioner.
Clearview collects photos of people online on a massive scale in order to use the images for facial recognition. The company claims its database contains more than 50 billion entries.
The company collects these images without obtaining the consent of the individuals pictured. British Columbia’s Information and Privacy Commissioner found in December 2021 that the company had violated Canada’s Personal Information Protection Act (PIPA). Clearview was ordered to delete all data that it had collected from residents of the province – and to stop collecting further data.
Court upholds ruling
Clearview attempted to fight the ruling in court. But the Supreme Court of British Columbia has now upheld the commissioner’s ruling, as the Canadian legal news site Lexpert reported last week.
As Lexpert reports, the US-based company marshaled several arguments, including that PIPA “should not apply to the company’s activities as a foreign entity.” The court rejected this and other arguments and affirmed that the Information and Privacy Commissioner did in fact have jurisdiction.
Clearview claims to sell access to its database only to government clients. Law enforcement agencies in Canada have used the company’s service in the past – but in summer 2020 the company stopped offering its service in the country. Clearview has stated that it intends to return to the Canadian market at a later date.
The Supreme Court has now found that Clearview’s voluntary exit from Canada does not exempt the company from regulatory oversight. Otherwise, the court reasoned, companies could resort to this tactic in the middle of an official investigation in order to avoid regulatory action – only to re-enter the market at a later date. Moreover, even after leaving the Canadian market, Clearview continued to collect data from individuals in Canada.
The company also claimed it did not require consent from individuals because the data it collected was “publicly available.” But on this point as well the court sided with the regulator, which found that, for example, information published on social media does not qualify as “publicly available” under PIPA.
Risk of data breaches
The court found further that Clearview could not claim a legal basis for collecting billions of images for its commercial facial recognition database. This practice also carries “significant” risk – in the event of a data breach, for example, the biometric data of billions of people could wind up in the wrong hands.
Clearview claimed in 2021 that it couldn’t determine whether a given photograph was taken in Canada or included likenesses of residents of Canada – and that, as a result, it could not delete photographs that met those criteria. But when imposing its ruling the Information and Privacy Commissioner pointed to a court proceeding in the US state of Illinois: in a filing in that case, the company had stated that it would exclude from its search results all images “that contain metadata associating them with Illinois” – and would also stop collecting such images. The court ruled that the company must now take the same measures for residents of British Columbia.
Illegal mass surveillance
The 2021 ruling by British Columbia’s Information and Privacy Commissioner was the result of a joint investigation with privacy regulators in other provinces as well as Canada’s top data privacy official, then-Privacy Commissioner Daniel Therrien. Therrien had voiced his criticism of the company earlier that year: “What Clearview does is mass surveillance and it is illegal.”
The commissioner in British Columbia had first issued recommendations. When Clearview failed to comply, the regulator followed up with a binding order.
Privacy regulators in the EU have also taken action against the company on several occasions. Most recently the Dutch data protection authority imposed a fine of €30.5 million after finding that Clearview had repeatedly violated the General Data Protection Regulation (GDPR).
Data protection authorities in Italy, Greece and France are among the regulators that have imposed financial penalties on the company in recent years.
In Germany in March 2020, Johannes Caspar, at the time Hamburg’s Commissioner for Data Protection, opened an investigation into Clearview AI. The basis for the investigation was a complaint filed by an individual affected by the company’s practices who had demanded information from Clearview regarding his data. In August 2020 Caspar had ordered Clearview to delete the complainant’s biometric profile.
For Clearview, business as usual
When imposing its fine in September, the Dutch data protection authority stated its concern that despite being fined by several other countries on several occasions, Clearview seemed unwilling to change its conduct. In August of last year the Australian privacy regulator announced that it would stop attempting to enforce its 2021 ruling against the company. Like other regulators, the Australian authority had demanded that the company delete its data – but there was no evidence that Clearview had complied with the order.
Given Clearview’s refusal to comply with regulations, the Dutch data protection authority is currently investigating whether “the directors of the company can be held personally responsible” for its data privacy violations. (js)