Privacy authorities in the UK and Australia have announced a joint investigation into Clearview AI, a US firm which provides facial recognition technologies.
In what might be seen as an ironic sequence of events, as the US acts the international cheerleader to combat the Chinese threat to cybersecurity and privacy, two of its allies launch a privacy investigation into one of its own firms. This is also set against a backdrop of police and intelligence authorities allegedly abusing privacy rights with the implementation of biased facial recognition technologies in various US cities.
According to a press release from the Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO), the probe with focus on ‘scraping’ techniques of Clearview AI and the analysis of biometric data.
“The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalised data environment,” the statement reads.
The investigation will aim to understand whether the data scraping activities of Clearview AI are legal with respect to the Australian Privacy Act 1988 and the UK Data Protection Act 2018.
Clearview AI was founded in 2017, creating a database of biometric data which is sold to various authorities for identification purposes. Not only has the accuracy of this data and technology been questioned in the past, the sourcing of the data is also slightly suspect.
In January 2020, Twitter sent a cease and desist letter to Clearview, demanding the company stop sourcing data from its platform but also the deletion of any data which has been collected already. Facebook and Google took similar action in February.
While Clearview AI has persistently stated its technology and databases are only used by law enforcement agencies, a data leak contradicted these claims. Analysis of the breach in February suggested the company was working with 2,200 authorities, companies and individuals around the world including the NBA, Macy’s and Walmart. It appears the commercial remit of Clearview AI has been widened.
Although data scraping is a technique which has been used by most financial analyst organisations for decades, in recent years it has taken a twist. In the early days, scraping financial data could build products, much the same as how scraping personal and biometric data is today, but the difference is privacy implications.
As privacy laws are being updated rapidly today, there are grey areas which can be taken advantage of or rules which are simply ignored, but there are regulatory issues with data scraping.
“Where businesses engage data scraping service providers, the business is responsible for providing the individuals with a privacy notice,” writes Fiona Campbell, a technology, privacy and outsourcing lawyer at Field Fisher.
“The privacy notice must contain specific information, set out in Article 14 GDPR, which includes data subject rights and how to exercise them – it must be provided to the individuals within one month of scraping their data.”
Interestingly enough, the United States Court of Appeals for the Ninth District in California said data scraping companies do not have to seek approval from websites if the relevant pages are public. In this case, LinkedIn was blocked by the courts from preventing data analytics firm HiQ from scraping data, despite the social media company attempting to protect the privacy of its users.
The US and Europe certainly have different opinions on what privacy rights actually mean, hence the creation of GDPR and the EU/US Privacy Shield to extend the privacy rights of European citizens living in Europe around the world. This investigation from the ICO and the OAIC might be another step forward to protect the interests of European and Australian citizens in countries where privacy rights are little more than irrelevant footnotes.