Case study: Clearview AI Inc v Australian Information Commissioner

Person using biometric facial recognition software to access a computer.

The recent findings of a review by the Administrative Appeals Tribunal into the practices of facial recognition software service Clearview provide valuable insights into the extra-territorial application of the Privacy Act.

What is Clearview AI Inc?

Clearview AI Inc (Clearview) is an entity incorporated in Delaware, USA that offers a facial recognition software service to law enforcement agencies.

The Clearview technology

Clearview developed a computer program known as a "web crawler" that visits public websites to identify and collect facial images, including image metadata.
The facial images are stored in a database hosted on Clearview servers outside of Australia. Clearview uses these images to draw a "vector" from the facial features contained in the images and stores those vectors in a separate database.

A customer can search the Clearview image database by uploading an image to the Clearview system to compare that image against the Clearview image database. Sufficiently similar images identified by the Clearview software are provided to the customer.

Clearview offered its services to law enforcement agencies in Australia on a trial basis.

OAIC privacy investigation

In July 2020, the Office of the Australian Information Commissioner (OAIC), with the United Kingdom Information Commissioner's Office opened a joint investigation into Clearview's activities. Clearview ceased offering free trials to Australian law enforcement agencies after the investigation was announced. However, Clearview continued to collect images from servers located in Australia.

The Australian Information Commissioner and Privacy Commissioner determined Clearview breached the Privacy Act 1988 (Cth) (Privacy Act). Refer to our previous insight on the OAIC's investigation into Clearview's privacy practices for more information about the determination.

Clearview sought to review the OAIC's decision in the Administrative Appeals Tribunal (AAT).

AAT review

The AAT considered the following issues:

  1. Whether Clearview has the necessary "Australian link" and is bound by the Privacy Act.
  2. If yes to Question 1, whether Clearview is an "APP entity".
  3. If yes to Question 2, whether Clearview's activities breached APP 1.2, APP 3.3, APP 3.5 and APP 5.1 of the Privacy Act.

AAT findings

Extra-territorial application of the Privacy Act

The AAT determined Clearview has the necessary "Australian link" and its acts and practices outside Australia are subject to the Privacy Act. Consequently, Clearview was found to be an "APP entity".

Despite having no offices or servers in Australia, Clearview was still "carrying on a business in Australia" and subject to the Privacy Act. The AAT found the acquisition of images from servers located in Australia (and worldwide) was a key element of Clearview's business and therefore it was carrying on a business in Australia.

In 2022, the Privacy Act was amended to broaden the scope of the extra-territorial application of the Privacy Act. The AAT found Clearview was bound by the Privacy Act under both the pre- and post-2022 wording of the extra-territorial provisions of the Privacy Act.

Breach of APPs

The AAT determined Clearview breached APP 1.2 and APP 3.3 of the Privacy Act. The AAT was satisfied that it had not breached any other APP.

Clearview was collecting images of individuals' faces to be used for biometric identification. The AAT considered that when biometric information is acquired and used for biometric identification it becomes sensitive information. Consequently, Clearview was collecting the sensitive information of individuals without consent in breach of APP 3.3.

The AAT also determined, as a consequence of breaching APP 3.3, Clearview also breached APP 1.2 by failing to take reasonable steps to implement practices, procedures and systems to comply with the APPs.

Next steps

The AAT's findings are significant given there is limited judicial consideration of the extra-territorial application of the Privacy Act. It is evident from this case that consideration of a business' activities and online data collection practices are crucial in determining whether a business has an "Australian link". This approach reflects modern e-commerce, the use of new technology, and the digital economy in which we operate.

The AAT will consider in a separate hearing whether a declaration under section 52 of the Privacy Act should be made and issue a formal review decision in relation to the Privacy Commissioner's determination.

The AAT decision Clearview AI Inc and Australian Information Commissioner [2023] AATA 1069 (8 May 2023) is published on the AustLII website.

Return to Privacy: Mid-year review 2023

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.