Are web postings exempt from the privacy laws? Commissioners’ Clearview AI ruling says no
In a decision released earlier this month,[2] the federal Privacy Commissioner and his provincial counterparts in Quebec, Alberta and B.C. ruled that Clearview AI’s business of scraping the Internet for photographs of individuals to create a database for law enforcement agencies contravenes Canada’s privacy laws. At the heart of the decision is the Commissioners’ determination that photographs available on social media and other online sites do not fall within the privacy laws’ exemption for “publicly available information”.
Clearview AI’s facial recognition tool
Clearview’s business model involves “scraping” photographs of individuals off the internet and providing them, together with other identifiable data, to police forces to aid in their investigations. Clearview has stated that it has amassed a database of more than three billion photos, worldwide. This database of photos enables users of the Clearview’s app to match a person to their online photos and link back to the webpages where the photos were found. More precisely, for law enforcement, it means increasing the likelihood of identification of suspects in connection with a criminal investigation for whom only a photograph or video image exists. During 2019 and 2020 a number of Canadian law enforcement agencies, including the RCMP, used the service, on a free, trial basis.
The Commissioners commenced an investigation in mid-2020, following which Clearview announced that it was ceasing offering its product in Canada, pending resolution of the investigation. However Clearview did not say it would stop collecting images of Canadians on the Internet, nor did it undertake to delete the records that it currently holds.
Are Internet postings “public information”?
The federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the relevant provincial laws[3] provide an exception to their compliance requirements – for what has been considered a relatively narrow scope of personal information made available in public sources such as the telephone directory and professional directories as well as publications in which an individual has provided the information – indicating as examples of the latter, magazines, books and newspapers in printed or electronic form. The issue that the Commissioners wrestled with was whether the term “publications” should extend to web sites and in particular social media sites.
The issue has great significance – essentially asking the question whether information about private individuals available online, including photographs and other information, should be considered public in a generic sense and therefore outside the protection of the privacy laws.
As a general proposition, personal information available in public spaces is considered protected by privacy law, and therefore subject to the rules requiring consent to collection and use, unless it falls within an exception to those laws – such as the publicly available information exception – or cannot be restricted by those laws if it is protected by the right to freedom of expression under the Canadian Charter of Rights and Freedoms’.[4]
The Commissioners determined that the exception does not apply to Internet media, citing the examples included in the definition (magazines, books and newspapers) and distinguishing them from Internet postings, in particular social media. The Commissioners base this distinction on two key differences; firstly, that such postings are by their very nature dynamic in content, changing frequently, and secondly, that individuals exercise a significant direct control over such postings by way of privacy settings or other tools. This “control’ aspect, the Commissioners noted, is a fundamental component of privacy protection – implying that exempting a communication medium, such as a social media site, from such protection would be inconsistent with the underlying purposes of the privacy laws.
In the Commissioners’ view, Clearview’s argument that the term “publication” necessarily includes “public blogs, public social media or any other public websites,” taken to its natural conclusion, would imply that all publicly accessible content on the Internet is a publication in some form or other. The Commissioners state that this would create an extremely broad exemption that would undermine the control individuals may otherwise maintain over their information on the Internet, and that such control is a fundamental component of privacy protection.
The Commissioners also noted that even if the term “publication” could be extended to include online media, information about individuals available on such media does not always satisfy the further requirement of the exception – that the individual has provided the information. In this regard, the Commissioners noted that “[a]s Clearview engages in mass collection of images through automated tools, it is inevitable that in many instances, the images would have instead been uploaded by a third party”.
Are the privacy laws quasi-constitutional?
Underlying the Commissioners’ conclusion is their characterization of the privacy laws as “quasi-constitutional” legislation which by its nature must be given a broad and remedial application and to which any exceptions should be construed narrowly.
There is much debate as to whether the current privacy laws should be considered quasi-constitutional and more specifically, whether privacy should be considered a human right. Commentators who dispute these propositions point to the balancing principle found, for example, in section 3 of PIPEDA, which indicates that the statutory rules governing personal information should recognize not only the right of privacy of individuals but also the needs of organizations to collect, use or disclose information for purposes that a reasonable person would consider appropriate in the circumstances.[5] They argue that this balancing dictate together with general rules of statutory interpretation necessarily imply that both the mandatory requirements of the laws as well as the exceptions to them should be given a broad and remedial application.
Not for an appropriate purpose
In addition to finding that the consent exception did not apply, the Commissioners concluded that Clearview AI’s scraping of photographs from online media for commercial and law enforcement uses did not satisfy the laws’ overarching “appropriate purpose” requirement. Put simply, this requirement states that any collection, use or disclosure of personal information under the laws, whether consent is required or not, must be what a reasonable person would find appropriate in the circumstances. This is an overarching – in effect gateway – requirement of the laws.
The Commissioners found that the information at issue (facial biometrics) was sensitive and that Clearview AI’s mass and indiscriminate scraping of these images from millions of individuals, including children, and the subsequent use and disclosure of that information for its own commercial purposes – unrelated to the purposes for which the images were originally posted, and potentially, to the users’ detriment and risk such as through prosecution or misidentification, was not an appropriate purpose and therefore failed to meet the laws’ basic precondition for acceptability.
Clearview AI did not agree with the Commissioners’ determination, arguing that its collection of data for law enforcement investigation purposes would be considered by a reasonable person “appropriate, reasonable and legitimate in the circumstances”.
Where do we go from here?
Clearview withdrew from its operations in Canada last summer when the Commissioners initiated their investigation. It had requested them to suspend their investigation pending their providing guidance respecting artificial intelligence applications, to be completed within a two-year period. The Commissioners declined to do so, indicating that Clearview should cease its facial recognition activities in Canada, cease collecting images of Canadians and delete those already in its database. Clearview has ceased activities in Canada but has refused to delete images of Canadians collected through its scraping practices.
The Commissioners indicate in their report that if Clearview refuses to comply with their requirements, they will undertake legal remedies to enforce them.
Clearview has not indicated any inclination to challenge the Commissioners’ ruling in court. However if the Commissioners make good on their threat to compel compliance through legal remedies, a judicial determination of these issues surrounding the scope of the “publicly available” exception, and more broadly the issue of Internet postings, might be in the offing.
© David Young Law 2018 Read the Full PDF: David Young Law Compliance Bulletin February 2021
For more information please contact:
David Young 416-968-6286 david@davidyounglaw.ca
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.
© David Young Law 2021
[1] A version of this article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.
[2] Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta; PIPEDA Report of Findings #2021-001, February 2, 2021.
[3] Act respecting the protection of personal information in the private sector (Quebec); Personal Information Protection Act (Alberta); Personal Information Protection Act (B.C.)
[4] See: Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62 (CanLII), [2013] 3 SCR 733 (union photographs of strikebreakers crossing a picket line posted on a website representing the union’s freedom of expression could not be prohibited by the privacy law).
[5] See, for example, Barry Sookman, Dan Glover and Jade Buchanan, “Exceptions from consent in PIPEDA: facial recognition, privacy and Clearview”, barrysookman.com, February 10, 2021.