Published 21 August 2024
The Office of the Australian Information Commissioner (OAIC) has been considering whether to take further action against Clearview AI, Inc., which was the subject of a determination under s 52(1A) of the Privacy Act 1988 (Cth) issued on 14 October 2021. That determination found that Clearview AI, through its collection of facial images and biometric templates from individuals in Australia using a facial recognition technology, contravened the Privacy Act, and breached several Australian Privacy Principles (APPs) in Schedule 1 of the Act, including by collecting the sensitive information of individuals without consent in breach of APP 3.3 and failing to take reasonable steps to implement practices, procedures and systems to comply with the APPs.
Notably, the determination found that Clearview AI indiscriminately collected images of individuals’ faces from publicly available sources across the internet (including social media) to store in a database on the organisation’s servers. In the determination, the Australian Information Commissioner made several declarations, including for the organisation to cease collecting images from individuals in Australia. On 3 November 2021, Clearview AI commenced proceedings in the Administrative Appeals Tribunal (AAT) to challenge the determination. After the AAT found that Clearview AI had breached certain of the APPs, Clearview AI withdrew from the proceedings in August 2023, before the AAT could make orders regarding steps Clearview AI must take to remedy the breach. The original determination therefore still stands, as do the declarations contained therein, including that Clearview AI must not collect images from individuals in Australia and must delete all images it had previously collected from individuals in Australia.
In early 2024, there was some media reporting alleging that Clearview AI was continuing to collect images from individuals in Australia. That media reporting was not based on new information, but rather referenced statements made by Clearview AI in the course of the AAT proceedings in 2023. Nevertheless, it gave rise to questions about whether Clearview AI was complying with the terms of the Australian Information Commissioner’s 2021 determination.
Privacy Commissioner Carly Kind said, “I have given extensive consideration to the question of whether the OAIC should invest further resources in scrutinising the actions of Clearview AI, a company that has already been investigated by the OAIC and which has found itself the subject of regulatory investigations in at least three jurisdictions around the world as well as a class action in the United States. Considering all the relevant factors, I am not satisfied that further action is warranted in the particular case of Clearview AI at this time.
“However, the practices engaged in by Clearview AI at the time of the determination were troubling and are increasingly common due to the drive towards the development of generative artificial intelligence (AI) models. In August 2023, alongside 11 other data protection and privacy regulators, the OAIC issued a statement on the need to address data scraping, articulating in particular the obligations on social media platforms and publicly accessible sites to take reasonable steps to protect personal information that is on their sites from unlawful data scraping.
“All regulated entities, including organisations that fall within the jurisdiction of the Privacy Act by way of carrying on business in Australia, which engage in the practice of collecting, using or disclosing personal information in the context of artificial intelligence are required to comply with the Privacy Act. The OAIC will soon be issuing guidance for entities seeking to develop and train generative AI models, including how the APPs apply to the collection and use of personal information. We will also issue guidance for entities using commercially available AI products, including chatbots.
“In the meantime, we reiterate that the determination against Clearview AI still stands.”