Should publicly available digital personal data be up for grabs?

A joint investigation by OAIC and ICO orders US-based facial recognition company to destroy all its data collected on Australian citizens

The joint investigation started by the Office of the Australian Information Commissioner (OAIC) and UK’s ICO has found that leading US-based facial recognition company Clearview has violated Australian data privacy legislation on several accounts by offering branches of the Australian police their database of 10 bn facial images that they have built by scraping social media and publicly available sites. The aim of the police’s trial that deployed Clearview’s tool was to test the efficacy of identifying photos of suspects by tying them to online profiles in the Clearview’s’s database with the help of AI.

According to the findings of the investigation, Clearview has violated the Australian Privacy Act 1988 by collecting Australian citizens’ sensitive information by unfair means and without their consent. Moreover, OAIC has also found that Clearview breached the Privacy Act by not taking reasonable steps to ensure that the information it collected was accurate. Clearview has been ordered to cease the collection of Australian individuals’ data, as well as to destroy any Australian biometric information collected within 90 days.

Hoan Ton-That, the Australian CEO of Clearview has argued against the ruling saying that it has scraped American online platforms to compile its database of images and, therefore, its activity is not within the Australian Privacy Act’s jurisdiction. Mark Love, a lawyer acting for Clearview, said the company had gone to “considerable lengths” to cooperate, and claimed “the commissioner has not correctly understood how Clearview AI conducts its business.”

Clearview is already facing class action lawsuits in NY and California for violating state constitution by its methods of collecting biometric information. The Californian lawsuit has labelled it as “the most dangerous” facial recognition database in the nation nearly seven times the size of the FBI’s – the FBI, paradoxically, being one of the law enforcement agencies that are among the 3,100 active users of the company’s contentious database.

The UK’s ICO is considering its next steps and any formal regulatory action under the UK’s data protection laws separately from the OAIC.