Facial recognition use found in breach of Australian privacy law

Australian privacy commissioner rules Clearview AI in breach of consumer privacy for facial recognition database and says multiple police forces are under investigation for employing the sensitive biometric database

Facial recognition companies and brands endeavouring to use the technology have been put on notice by Australia’s privacy commissioner after two rulings determined such data collection to be a breach of consumer privacy.

The Office of the Australian Information Commissioner (OAIC) today found Clearview AI in breach of privacy legislation for collecting images and biometric information from individuals in Australia without their consent and for the purposes of commercial gain.

A joint investigation launched into the US-based company by the Office of the Australian Information Commissioner (OAIC) and the UK Information Commission’s Officer (ICO) commenced in March 2020 found the facial recognition technology company to be in breach of privacy legislation for collecting Australians’ sensitive information without their consent.

US-based Clearview has created a facial recognition tool that’s been used to build a database of more than 3 billion images globally. To do this, the company takes data from social media platforms and publicly available websites, then links to where the photos appeared for identification purposes.

In its determination, the OAIC found Clearview collected personal information by unfair means, did not taking reasonable steps to notify individuals that such personal information was collected, and did not take reasonable steps to ensure information disclosed was accurate. Clearview was also found to have breached the Act by not taking reasonable steps to implement practices, procedures and systems to ensure compliance with Australian Privacy Principles.

The company had collected data between October 2019 and March 2020 as part of a trial of its facial recognition tool with several Australian police forces, which then used the images to conduct searches. The users included the Queensland, Victorian, South Australian and Australian Federal Police forces.

The OAIC is also finalising an investigation into the Australian Federal Police’s trial use of the technology and whether it complied with requirements under the Australian Government Agencies Privacy Code to assess and mitigate privacy risks.

Clearview has been ordered to cease collecting facial images and biometric templates, as well as destroy any Australian biometric information collected within 90 days.

In its determination, the OAIC noted the lack of transparency around Clearview AI’s collection practices, the monetisation of individuals’ data for a purpose entirely outside reasonable expectations, and the risk of adversity to people whose images are included in their database. Commissioner, Angelene Falk, also found the privacy impacts of the facial recognition system were not necessary, legitimate and proportionate against public interest benefits.

“The covert collection of this kind of sensitive information is unreasonably intrusive and unfair,” Falk stated. “It carries significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI’s database.

“By its nature, this biometric identity information cannot be reissued or cancelled and may also be replicated and used for identity theft. Individuals featured in the database may also be at risk of misidentification.

“The indiscriminate scraping of people’s facial images, only a fraction of whom would ever be connected with law enforcement investigations, may adversely impact the personal freedoms of all Australians who perceive themselves to be under surveillance.”

In its defence, Clearview AI had argued the information handled was not personal information and that, as a company based in the US, it was not within the Privacy Act’s jurisdiction. Clearview also claimed it stopped offering its services to Australian law enforcement shortly after the OAIC’s investigation began.

However, the OAIC clearly disagreed. In the determination, it also noted Clearview had temporarily provided an opt-out process for residents in January 2020 requiring individuals to supply an email address and image verification. This form had been removed during the course of OAIC investigations.

“Consent may not be implied if an individual’s intent is ambiguous or there is reasonable doubt about the individual’s intention,” Falk stated in the determination. “I consider that the act of uploading an image to a social media site does not unambiguously indicate agreement to collection of that image by an unknown third party for commercial purposes. In fact, this expectation is actively discouraged by many social media companies’ public-facing policies, which generally prohibit third parties from scraping their users’ data.

“Moreover, consent could certainly not be inferred where an individual’s image is uploaded by another individual [including individuals depicted in the background of a scraped image] or where an individual inadvertently posts content on a social media website without changing the public default settings. 

Falk said Clearview AI’s activities in Australia involve the automated and repetitious collection of sensitive biometric information from Australians on a large scale, for profit.

“The company’s patent application also demonstrates the capability of the technology to be used for other purposes such as dating, retail, dispensing social benefits and granting or denying access to a facility, venue or device,” she said.

“This case reinforces the need to strengthen protections through the current review of the Privacy Act, including restricting or prohibiting practices such as data scraping personal information from online platforms.

“It also raises questions about whether online platforms are doing enough to prevent and detect scraping of personal information.”

The OAIC said the ICO is still considering next steps and potential formal regulatory action under UK data protection laws. The joint investigation was conducted under the Global Privacy Assembly's Global Cross Border Enforcement Cooperation Arrangement and the MOU between the OAIC and ICO.

Read more: Face recognition technology raises consumer privacy concerns

Fears about facial recognition overblown: AFP

OAIC also finds against 7-Eleven for facial recognition use

The OAIC’s decision on Clearview AI comes just a few weeks after it also ruled 7-Eleven had interfered with consumer privacy by employing facial recognition while surveying customers about their in-store experiences.

The surveys were completed between June 2020 and August 2021 on tablets with built-in cameras installed in 700 stores. Customers completed 1.6 million surveys in the first 10 months.

The determination found individuals did not give either express or implied consent to the collection of their facial images or faceprints. The OAIC said 7-Eleven also failed to take reasonable steps to notify individuals of the collection of personal information.

The OAIC said large-scale collection of sensitive biometric information through 7-Eleven’s customer feedback mechanism was not considered reasonably necessary for the purpose of understanding and improving customers’ in-store experience.

In its determination, Falk classified facial images and faceprints as sensitive information covered by additional protections under the Privacy Act 1988 because they are ‘biometric information that was used for the purpose of automated biometric identification’.

“Biometric information is unique to an individual and cannot normally be changed,” Falk said. “Entities must carefully consider whether they need to collect this sensitive personal information, and whether the privacy impacts are proportional to achieving the entity’s legitimate functions or activities.

“While I accept that implementing systems to understand and improve customers’ experience is a legitimate function for 7-Eleven’s business, any benefits to the business in collecting this biometric information were not proportional to the impact on privacy.”

7-Eleven has since ceased collecting facial images and faceprints as part of the customer feedback mechanism. It has also destroyed existing facial images collected as requested by the commissioner.

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page

 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

More Brand Posts

What are Chris Riddell's qualifications to talk about technology? What are the awards that Chris Riddell has won? I cannot seem to find ...

Tareq

Digital disruption isn’t disruption anymore: Why it’s time to refocus your business

Read more

Enterprisetalk

Mark

CMO's top 10 martech stories for the week - 9 June

Read more

Great e-commerce article!

Vadim Frost

CMO’s State of CX Leadership 2022 report finds the CX striving to align to business outcomes

Read more

Are you searching something related to Lottery and Lottery App then Agnito Technologies can be a help for you Agnito comes out as a true ...

jackson13

The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Thorough testing and quality assurance are required for a bug-free Lottery Platform. I'm looking forward to dependability.

Ella Hall

The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Blog Posts

Marketing prowess versus the enigma of the metaverse

Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.

Liz Miller

VP, Constellation Research

Why Excellent Leadership Begins with Vertical Growth

Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?

Michael Bunting

Author, leadership expert

More than money talks in sports sponsorship

As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.

Simone Waugh

Managing Director, Publicis Queensland

Sign in