The ICO and the Office of the Australian Information Commissioner (OAIC) opened a joint investigation into the personal information handling practices of Clearview AI Inc in July 2020. The investigation focused on the company’s use of data scraped from the internet and the use of biometrics for facial recognition. Clearview AI’s facial recognition tool includes a database of more than three billion images taken from social media platforms and other publicly available websites. The tool allows users to upload a photo of an individual’s face and find other facial images of that person collected from the internet. It then links to where the photos appeared for identification purposes.
The ICO and OAIC worked together on the evidence-gathering stage of the investigation. As both data protection authorities operate under their own country’s legislation, any outcomes are considered separately. Each authority has also been looking separately at their respective police forces’ use of the technology.
The OAIC has released its determination into Clearview AI which is published on the OAIC website. It highlights the lack of transparency around Clearview AI’s collection practices, the monetisation of individuals’ data for a purpose entirely outside reasonable expectations, and the risk of adversity to people whose images are included in their database.
Its conclusions are that Clearview AI breached Australian privacy laws by:
- collecting Australians’ sensitive information without consent;
- collecting personal information by unfair means;
- not taking reasonable steps to notify individuals of the collection of personal information;
- not taking reasonable steps to ensure that personal information it disclosed was accurate, having regard to the purpose of disclosure; and
- not taking reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.
The determination orders Clearview AI to cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia.
The joint investigation has finished and the ICO is considering its next steps and any formal regulatory action that may be appropriate under the UK data protection laws.