The Clearview Case: Privacy and data protection by foreign companies

21 Jan 2022

When foreign companies expand to do business in Australia, they usually consider compliance matters such as taxation, however, they seldom think about compliance issues such as privacy and data protection. This is often perceived as an issue for multi-million dollar businesses that have an entity registered in Australia to conduct their business. It is commonly a case of “I will deal with it when it becomes a problem”.

In October 2021, a US facial recognition business, Clearview AI, Inc (Clearview), learnt that privacy and data protection was a real issue in Australia when it was the subject of the determination. The Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 (the Clearview Determination) handed down by the Australian Information Commissioner and Privacy Commissioner, Angeline Falk (the Commissioner).

Clearview’s facial recognition tool allows a user, generally a law enforcement agency officer, to upload and match an image to the images held in Clearview’s database. 

The Clearview database contains over 3 billion images that its tool had scraped from publicly available images from the internet. These images could be images of a person who uploaded their own photo onto a social media site or images of people in an uploaded group photo or someone in the background of a photograph even if they are not aware that the photograph included  them. Most of the subjects of the images are unlikely to be aware that their image has been captured in the Clearview database, let alone how their images are being used.  

In October 2019, Clearview attempted to expand its facial recognition business to Australia. As part of that expansion, Clearview offered free trials to various Australian law enforcement agencies to use their tool. At that time, Clearview had not registered an entity in Australia or generated income from Australia, however, it intended to generate revenueand it had collected images of individuals in Australia covertly.

The Commissioner found that whilst Clearview was not domiciled in Australia nor had it generated revenue in Australia at that point in time, it:

  1. was captured under the remit of the Privacy Act 1988 (Cth) (Privacy Act) by disclosing personal information about another individual to anyone else for a benefit, service or advantage (section 6D(4)(c) of the Privacy Act); and
  2. had interfered with the privacy of Australian Individuals by failing to comply with various Australian Privacy Principles (APPs), including APP 1 (open and transparent management of personal information), APP 3 (collection of solicited personal information), APP 5 (notification of the collection of personal information) and APP 10 (quality of personal information).

Clearview was ordered to:

  1. cease the collection of images of individuals in Australia in breach of the APPs,
  2. discontinue and not repeat the acts and practices found to be in breach of the APPs,
  3. destroy all images it had collected from individuals in Australia, and
  4. confirm to the Commissioner that it had destroyed the relevant images and that it had ceased collecting the images of individuals in Australia.

In the decision, Clearview was subject to:

  • the Privacy Act;
  • whether the Commissioner considered there was an Australian Link (sections 5B(2) and 5B(3) of the Privacy Act) notwithstanding Clearview being a US entity; and
  • whether Clearview was carrying on business in Australia (section 5B(3)(b) of the Privacy Act); and
  • the decision of Thawley, J in Australian Information Commissioner v Facebook Inc (No 2) [2020] FCA 1307 (Facebook No 2).

In Facebook No 2, Thawley J noted  at [43] that the Commissioner had placed particular reliance in its Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) that the sections 5B(3)(b) and 5B(3)(c) of the Privacy Act were “intended to capture entities based outside of an with no physical presence in Australia which collect information from individuals in Australia via a website hosted outside of Australia”. Thawley J then noted at [46] that whether an entity carries on business in a particular place is “determined by reference to the particular facts”.

The Commissioner undertook an analysis of the two main activities that were considered to be carrying on business in Australia: the use of the facial recognition tool by Australian law enforcement agencies during a trial period of the tool; and the scraping of images from the internet of individuals located in Australia.

The Commissioner found that the use of the facial recognition tool during the trial period was for the purpose of eventually generating revenue from the Australian use of the tool and also found that the scraping of images was an integral part of Clearview’s business without which it could not share and monetise the images. On this basis, the Commissioner was satisfied that Clearview had an Australian Link as it had satisfied all requirements under section 5B(3) of the Privacy Act.

The Commissioner then analysed whether Clearview fell within the definition of Organisation (section 6C of the Privacy Act) and was, therefore, an APP entity and subject to the Privacy Act.  Clearview argued that it fell within the definition of a Small Business Operator (SBO) (section 6D(1) - (3) of the Privacy Act) and was therefore exempt from the application of the Privacy Act. Despite no revenue generated in Australia from Clearview’s business activities at the time, the Commissioner was satisfied that Clearview was not classified as an SBO as it disclosed personal information about another individual (which included the scraped images of individuals in Australia) to another person (the law enforcement agencies) for a benefit, service or advantage (section 6D(4)© of the Privacy Act), and was, therefore, subject to the Privacy Act.

This decision and the Facebook case demonstrate the importance of privacy and data collection when doing business in Australia. Even if you intend to collect and use the personal information of individuals in Australia and/or are located outside Australia, or you are processing that personal information outside Australia, you may still be subject to the Privacy Act. 

 

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.