Insights from the Information Commissioner's investigations into Uber, 7-Eleven and Clearview AI

In 2021, the Office of the Australian Information Commissioner (OAIC) released three determinations in respect of its investigations into the privacy practices of Uber, 7-Eleven and Clearview AI.

These three investigations show how important it is for organisations to adopt processes and procedures to protect personal information and comply with the Privacy Act 1988 (Cth) (Privacy Act) ─ particularly when adopting new technologies.

The OAIC is an independent statutory body responsible for the privacy functions conferred by the Privacy Act. The OAIC has the power to commence investigations into an act or practice of an APP entity that might breach the Privacy Act.

Uber Technologies, Inc. & Uber B.V.

Background

In Australia, Uber B.V. (UBV) is a ride hailing service delivered through a mobile application for Australian users. UBV has been operating in Australia and collecting customers' and drivers' personal information since September 2012. UBER Technologies Inc (UTI) was contracted by UBV to process information in accordance with UBV's instructions under a processing agreement. In October and November 2016 the personal data of drivers and customers, stored by UTI in a cloud-based storage service, was accessed by an unauthorised third party.

The investigation

In December 2017, the then Privacy Commissioner commenced an investigation into the 2016 unauthorised access and downloading of archived driver and rider information by a third party. The scope of the OAIC's investigation increased over the next three years.

Determination and declaration

The OAIC found UBV and UTI (collectively the Uber Companies) interfered with the privacy of approximately 1.2 million Australians by failing to comply with the Australian Privacy Principles, in particular APP 1.2, APP 11.1 and APP 11.2. The Information Commissioner made a number of declarations primarily focused on improving the Uber Companies' information security practices, policies and procedures, introducing a data breach response plan, and monitoring the Uber Companies' implementation and maintenance of its policies and procedures to ensure they adhered to the measures set out in the declarations.

Key takeaways for APP entities

• At all stages of the information lifecycle, an APP entity must take reasonable steps to protect personal information held by the entity from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Relying on contractual measures may not be sufficient and entities must also adopt technical measures to protect personal information, such as implementing multifactor authentication and regularly auditing access controls.
• An APP entity must have processes in place to identify personal information that needs to be destroyed or de-identified. When deleting information, it is essential to take extra precautions by reviewing and deleting backup files that are no longer needed.
• Data breach and incident response plans are necessary under APP 1.2. APP 1.2 requires entities to implement practices, procedures and systems to manage data breaches.
• This decision is also a stark reminder of the extraterritorial reach of the Privacy Act. A link to our article which unpacks the extraterritorial jurisdiction provisions in the Privacy Act can be accessed here.

7-Eleven

Background

7-Eleven is a private company with over 700 convenience stores across Australia. Between 15 June 2020 and 24 August 2021, 7-Eleven deployed a technology-enabled customer feedback mechanism in its stores. The mechanism used third-party facial recognition technology to collect facial images and faceprints of customers who completed a feedback survey using an instore tablet device. The facial images were retained for seven days and the faceprints were retained for an indefinite period.

The investigation

On 21 February 2021, the OAIC commenced an investigation into whether 7-Eleven's use of facial recognition technology to collect facial images and faceprints of its customers was an interference with the privacy of individuals who completed the instore survey. The OAIC considered APP 3.3, 3.5 and 5 in relation to 7-Eleven's use of the facial recognition technology.

Determination and declaration

The OAIC found 7-Eleven interfered with the privacy of individuals by failing to comply with APP 3.3 and APP 5. The OAIC did not make a finding in relation to APP 3.5. The OAIC made a declaration that 7-Eleven must destroy all faceprints it had collected through the customer feedback mechanism and provide written confirmation of their destruction to the OAIC.

Key takeaways for APP entities

• "Collection" is a broad concept under the Privacy Act. An APP entity must carefully assess its information handling practices throughout the entire information lifecycle and assess if it is collecting personal information in circumstances where it may not be immediately evident. An APP entity may collect personal information by creation. The faceprints were generated from other information the respondent held (ie facial images) and collected by 7-Eleven for inclusion in a record.
• An APP entity will collect personal information even if it has no access to the information. 7-Eleven submitted the faceprints were generated by, and stored, on a server controlled by its service provider. Nevertheless, the Commissioner found 7-Eleven collected the faceprints due to the contractual arrangement agreed between 7-Eleven and the service provider.
• An APP entity must assess whether its information collection practices will involve the collection of sensitive information. The facial images and faceprints were considered biometric information. The facial images showed biometric features of an individual's face, unique to that individual. The faceprints were an "algorithmic representation of a face" derived from biometric samples. The facial images and faceprints were used in an automated biometric identification system to compare biometric characteristics.
• An APP entity must collect a person's sensitive information with their consent, unless an exception applies. The information must also be reasonably necessary for the entity's functions and activities. The potential harm associated with collecting sensitive information should be balanced with the benefit of collecting the information and any other ways to achieve the same outcome without the information. In this case, the Commissioner found 7-Eleven did not obtain an individual's consent to collect their personal information.
• A collection notice must be tailored to the information collection activity in question, specifically detailing the purpose of the collection of personal information by an APP entity. Reasonable steps must be taken to provide a collection notice, at or before, a person's personal information is collected. It is not enough to rely on a publicly available privacy policy alone to satisfy APP 5 requirements. Despite 7-Eleven placing a notice at the entrance of stores alerting customers that they may be subject to facial recognition technology and having a publicly accessing privacy policy on the 7-Eleven website, the notice and policy did not address all APP 5 matters.

Clearview AI

Background

American facial recognition company Clearview AI provides a facial recognition search tool for mobile and web users. The tool allows users to upload an image of an individual's face and search Clearview AI's database for likely matches, to enable identification of the individual. Clearview AI's userbase comprises government and law enforcement entities who use the tool for law enforcement and national security purposes.¹

The investigation

On 7 July 2020, the OAIC and the UK Information Commissioner's Office (ICO) commenced a joint investigation into Clearview AI's data processing practices. Specifically, the OAIC's investigation focused on whether Clearview AI had met the requirements of a number of Australian Privacy Principles (APP 1.2, APP 3.3, APP 3.5, APP 5 and APP 10.2).

Determination and declaration

The OAIC found Clearview AI failed to comply with APP 1.2 ─ to take reasonable steps to implement practices, procedures and systems relating to its functions or activities, that will ensure compliance with the APPs. Clearview AI also interfered with the privacy of Australian individuals by failing to comply with APP 3.4, APP 3.5, APP 5 and APP 10.2 when collecting images of Australian individuals and creating a mathematical representation of these images, resulting in the generation of biometric information and biometric templates.

The OAIC made a number of declarations under the Privacy Act, including that Clearview AI does not repeat or continue the acts or practices that were found to be an interference with privacy. Clearview AI was ordered to cease collecting information of Australian individuals and destroy their facial images, biometric information and biometric templates.

Key takeaways for APP entities

• The OAIC will work with other overseas regulators to conduct joint investigations, where multiple data protection authorities are investigating the same or similar questions or subject matter.
• APP entities must obtain the consent of individuals before collecting their sensitive information. Implied consent should generally not be relied on when collecting sensitive information.
• Personal information must be collected by "fair" means. Clearview AI's collection of sensitive information in a covert and indiscriminate manner for commercial purposes was not considered fair.
• APP entities must take reasonable steps to notify individuals about the fact and circumstances of, and the purpose of, collecting their personal information. More rigorous notification steps must be taken when collecting sensitive information.
• APP entities must take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant. Evidence of such steps should be retained for compliance purposes.
• The OAIC expects APP entities to conduct Privacy Impact Assessments for complex projects to determine and manage their privacy impacts.
• A comprehensive Privacy Impact Assessment will be required where:
  • a novel technology is developed, involving a new way of handling personal information
  • a large amount of personal information will be handled and sensitive information will be collected
  • there are potential adverse effects to individuals as a result of the collection of sensitive information
  • there is significant public interest in the privacy aspects of the project and the potential to lead to increased surveillance and monitoring of individuals.

---

¹ We note the Information Commissioner also initiated an investigation into the Australian Federal Police's privacy practices in respect of its trial use of facial recognition technology. The Information Commissioner's Determination in respect of this investigation can be found on the OAIC website: https://www.oaic.gov.au/privacy/privacy-decisions/privacy-determinations