Saving face(s): BC Court requires Clearview AI’s facial recognition software to comply with provincial privacy laws

 
The internet is a trove of valuable data for companies. AI increases this value by making the data-gathering process infinitely faster and more effective. However, there are limits to how internet data can be used, which depend on what the data is and where it comes from.

In Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia¹, the British Columbia Supreme Court confirmed that biometric information scraped from social media is subject to provincial privacy legislation and requires user consent—even if posted on a public profile.

What you need to know

• The British Columbia Supreme Court held that:
  • an individual’s personal information is subject to the privacy laws of the jurisdiction in which the individuals reside, even when that information is available online;
  • a business collecting, using or disclosing an individual’s personal information can create a “real and substantial connection” with the individual’s jurisdiction of residence, grounding the application of that jurisdiction’s laws; and
  • publishing personal information on social media does not necessarily mean an individual relinquishes control over that personal information.
• Businesses scraping personal information from social media and other websites should therefore consider whether consent is required under applicable privacy legislation.

Background

Clearview AI

Clearview AI is a U.S.-based company that provides facial recognition services to government and law enforcement agencies around the world. Clearview’s database is comprised of images of faces (and associated metadata) scraped from online sources, including social media platforms. “Scraping” refers to automatically accessing, aggregating and collecting relevant data from websites or mobile applications. Clearview then uses algorithms to analyze these images and create “vectors” representing each face, which can be compared against images users upload into Clearview’s search engine to identify potential matches.

Clearview generated significant controversy in the early 2020s, in part for its practice of broadly collecting and indefinitely storing biometric information without obtaining user consent, and in part because of reported inaccuracies and biases in its facial recognition software. This led to a series of investigations and lawsuits in various jurisdictions, including Canada, the United States, the European Union and the United Kingdom.

Clearview voluntarily agreed to stop providing services in Canada in July 2020, but has stated its intention to eventually re-enter the Canadian market.

Order of the Privacy Commissioner

In February 2020, the federal Privacy Commissioner and several provincial privacy commissioners, including the Information and Privacy Commissioner for British Columbia (the Commissioner), launched an investigation into Clearview. Following the joint investigation, the Commissioner issued an order under the British Columbia Personal Information and Privacy Act (PIPA), prohibiting Clearview from offering services to clients in British Columbia and requiring the company to (a) stop collecting, using and disclosing the personal information of British Columbians; and (b) use best efforts to delete images and biometric identifiers collected from British Columbians without consent.

Clearview challenged the Commissioner’s decision, arguing that its recommendations were “impossible” to execute and not legally warranted. In particular, Clearview argued that (a) the Commissioner erred in finding that PIPA applied to Clearview’s activities; (b) Clearview was exempt from seeking consent because the facial vectors were derived from “publicly available” photos; and (c) Clearview collected the information for a purpose that a “reasonable person” would consider appropriate.

Decision

The Court dismissed Clearview’s petition, concluding that PIPA applies to Clearview and Clearview was required to obtain consent to collect personal information published on social media because such information is not “publicly available” within the meaning of PIPA’s consent exceptions.

Collecting personal information may ground a real and substantial connection to the individual’s jurisdiction

The Court explained that out-of-province businesses collecting individuals’ personal information are subject to provincial privacy legislation where they have a “real and substantial connection” to the jurisdiction enacting the legislation and the subject matter of the legislation².

The Court found a “real and substantial connection” between Clearview and British Columbia. Clearview was engaged in “business activities” within the province by collecting, using and disclosing information of individuals in BC. Collecting data from social media websites formed “an essential part of Clearview’s business” and “the ubiquitous presence of these websites leads to the logical inference that they undoubtedly have hundreds of thousands, if not millions, of users in British Columbia”³.

The Court further noted that due to the cross-border nature of data flows and privacy concerns, privacy regulation must also be cross-border in nature. Because individuals have significant privacy interests in their biometric identifiers, there is significant public interest in addressing transnational privacy issues raised by facial recognition software.

Posting on social media does not necessarily mean information is “publicly available”

Clearview did not obtain the consent of individuals whose data it scraped. Instead, it relied on an exemption of the PIPA Regulations, exempting “personal information that appears in a printed or electronic publication that is available to the public, including a magazine, book or newspaper in printed or electronic form”. Clearview argued that all publicly accessible content on the internet should be considered “publicly available”, as individuals lose their right to control their personal information once they make it public online. Clearview argued that this would strike an appropriate balance between the rights of individuals and organizations under the privacy legislation.

The Court disagreed and stated that the phrase “publicly available” should be narrowly interpreted because it provides an exemption to a core privacy protection under quasi-constitutional legislation. Further, social media differs from the sources specifically prescribed by regulation, as social media pages are “dynamic and the information on them changes constantly; and because individuals exercise a different level of control over their social media accounts”⁴. Clearview’s interpretation of the phrase would create an extremely broad exemption, undermining any semblance of control an individual has over information (for example, individuals can choose to share information for a limited time, for a limited purpose or with a limited audience).

Ultimately, the Court found that the Commissioner’s interpretation was more attuned to the purpose of the provision within the context of the legislation and to the particularly sensitive nature of the biometric information to the individual.

Implications for businesses

As AI adoption increases, developers increasingly rely on data scraped from the internet to train their AI systems. But while this data is invaluable for AI development, it can carry risk when collected in an improper or indiscriminate manner—even when it appears to be obtained from a public source.

As much as the internet often appears borderless, it is not. Local privacy regimes may apply if a “real and substantial connection” can be drawn between business activities and an individual’s home jurisdiction. Even when businesses are not actively engaging in commercial activities within that jurisdiction, collecting, using and/or disclosing personal information of individuals within that jurisdiction may attract regulators’ attention. Therefore, businesses should be mindful of ensuring compliance with privacy regimes in the home jurisdictions of their users. This is particularly important in jurisdictions where substantial penalty powers exist (e.g., in Québec) or are being contemplated by draft legislation (e.g., in Alberta).

It is also important to note that personal information published on social media does not automatically become a public asset; individuals may retain control over the personal information that they post. When in doubt, businesses should obtain express consent when collecting, using and disclosing personal information, and should consult counsel when relying on legislative exemptions.

Finally, businesses should be aware that the risks of scraping data from the internet extend beyond privacy-related risks. As discussed in “The screen scraping risk landscape in North America: regulatory and litigation developments”, indiscriminate scraping of data can also raise contractual and copyright-related risks.