The collection (and over collection) of personal information, cybersecurity incidents, and data breaches have never been more topical. Advancements in technology have led to greater global interaction and allowed for commercial efficiency in a time of limited connection. With advancements in technology, however, have come concerns for the privacy rights of individuals. In speaking about artificial intelligence, the Privacy Commissioner of Canada, Daniel Therrien, has stated, “[a]rtificial intelligence has immense promise, but it must be implemented in ways that respect privacy, equality and other human rights.[…] A rights-based approach will support innovation and the responsible development of artificial intelligence.”
In assessing new technologies, data privacy regulators abroad and in Canada are increasingly and consistently critical of unfettered collection, use, and disclosure of personal information. This critical lens informed their assessment of the work of Clearview AI, a U.S.-based technology company found in violation of Canadian privacy law.
Clearview AI found in violation of PIPEDA
Clearview AI created and maintains a database of over three billion images scraped from internet websites without users’ consent. Its platform supports law enforcement agencies in their efforts to identify individuals. In pursuit of this purpose, Clearview AI has allowed its users, including the Royal Canadian Mounted Police, to match photographs they have with those illegally obtained in their database.
In February of this year, the Privacy Commissioner of Canada (“OPC”), the Commission d’accès à l’information du Québec (“CAI”), the Information and Privacy Commissioner for British Columbia (“OIPC BC”), and the Information and Privacy Commissioner of Alberta (“OIPC AB”) conducted a joint investigation to assess whether Clearview AI was compliant with Canadian privacy legislation (the “Joint Investigation”).
The Joint Investigation found that Clearview AI was in violation of federal private sector privacy legislation, the Personal Information and Electronic Documents Act (“PIPEDA”). In particular, the privacy protection agencies found that Clearview AI failed to obtain consent from individuals when collecting their biometric information. As well, the Joint Investigation found that the information was collected for inappropriate purposes due to the risk of harm to individuals and that the information was collected in an unreasonable manner, via scraping publicly accessible websites.
Three provinces adopted the Joint Investigation recommendations
In light of the publication of the Joint Investigation, on December 14, 2021, the OPC published a news release outlining that three provincial protection authorities, the CAI, the OIPC BC, and the OIPC AB have ordered Clearview AI to comply with recommendations flowing from the Joint Investigation.
The legally binding orders outlined in the Joint Investigation and adopted by the three provinces require Clearview AI to stop offering facial recognition services in the respective provinces and also to stop collecting, using, and disclosing the images of people in the three provinces without their consent. The orders also require Clearview AI to delete existing images and biometric facial arrays collected without consent from individuals in the provinces. Though this is a helpful first step, it will be interesting to determine if other provinces follow suit.
A case for privacy reform
The adoption of the orders by these three provincial privacy regulators thus far presents the reality that enforcement of privacy regulations is (relatively speaking) minimal in Canada as compared with that of other jurisdictions. While the OPC has found that Clearview AI is in violation of PIPEDA, it does not have the authority to order compliance or to levy fines. This means that the decision to adopt the recommendations outlined in the Joint Investigation to protect Canadians’ privacy remain in the hands of provincial privacy protection authorities.
This absence of authority has been the subject of discussions surrounding privacy reform. At this time last year, Bill C-11 sought to replace PIPEDA with the Consumer Privacy Protection Act (“CPPA”). After numerous criticism of Bill C-11, largely for its prioritization of corporate interests over consumer rights, it was ultimately dropped when a federal election was called in August 2021. Despite the death of Bill C-11, the federal government has said it plans to move forward in the future with a “comprehensive reform” of privacy legislation.
However, while federal attempts to modernize have not yet been successful, this past year, Quebec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, received assent. As we have previously reported, Bill 64 provides Quebec’s regulator greater authority to allow for the increased enforcement of privacy protections.
As privacy reform continues to be a topic of discussion, it will be interesting to see if federal privacy reform grants the federal OPC and other provincial privacy protection agencies authority to meaningfully enforce the law and impose penalties such that they are able to both proactively and reactively prevent violations of Canadian’s privacy rights.
For further updates, take a look at the MT Cybersecurity Blog.
 Office of the Privacy Commissioner of Canada, News Release: Commissioner Issues Proposals on Regulating Artificial Intelligence, online: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/nr-c_201112/