On February 2, 2021, Canada’s privacy commissioner Daniel Therrien and his counterparts in the three provinces that have private sector data protection laws (Alberta, British Columbia and Quebec) issued joint findings following their investigation into complaints against US-based Clearview AI. In January 2020, Clearview became the focus of attention when The New York Times revealed that the software company had built a facial recognition service that used a database of billions of images scraped from online sources, including social media sites. The company had marketed its services to police in North America. Controversy mounted in Canada when it was reported that, in spite of initial denials, police across Canada had been using Clearview’s product — sometimes without the awareness of those in command. The revelations sparked privacy complaints about Clearview’s practices, as well as about police services’ use of their service. The joint findings address the first category, Clearview’s practices. This article identifies five key takeaways.
1. Scraping Personal Data from Social Media Sites Without Consent Violates Canadian Law
Data scraping is a widespread practice that involves the automated harvesting of data — including images — from publicly accessible websites. Given the vast amounts of personal information found online and the many ways in which such data can be used, scraping raises significant privacy challenges. Clearview maintained that information on publicly accessible websites was fair game. The company argued that it was exempt from consent requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA) and its provincial equivalents, because it fell within the exception to consent for personal information that is “publicly available.” The commissioners ruled that this exception, which is narrowly defined in regulations, does not extend to user-contributed information on social media websites.
2. The US-Based Company Had a “Real and Substantial Connection” to Canada
Clearview argued that Canadian laws did not apply to its activities because it had only limited ties to Canada. It collected data from online sources globally, and only one Canadian police service — the Royal Canadian Mounted Police — actually had a paid account. According to the Federal Court, PIPEDA applies where there is a “real and substantial connection” to Canada. The commissioners found that Clearview marketed its services to Canadian police agencies, and had 48 police accounts in Canada (whether paid or not), from which thousands of searches were carried out. Clearview also harvested Canadians’ data. These facts amply established a real and substantial connection.
In their analysis of provincial jurisdiction, the commissioners also rejected Clearview’s arguments that it was not subject to the data protection laws of Alberta, British Columbia and Quebec. They stated that “whenever a company collects the personal information of individuals located within a province, regardless of where the company is located, the Provincial Acts apply.”
3. Cooperation Between Federal and Provincial Commissioners Has Interesting Legal Implications
Clearview is yet another recent instance in which federal and provincial commissioners have conducted a joint investigation in a case with national scope. Such an approach helps develop common interpretations of similar provisions in a context in which clarity and uniformity are beneficial. However, the practice raises interesting questions. Where a province enacts “substantially similar” legislation, PIPEDA’s application is exempted with respect to those activities covered by the provincial law. Recent joint investigations (for example, into the Cambridge Analytica scandal and into Cadillac Fairview’s use of facial recognition technology) have found breaches of both federal and provincial laws, without specifying which acts contravened which laws. The approach suggests that the commissioners see their jurisdictions as concurrent and overlapping, an interpretation that could be challenged.
The growing cooperation and engagement between the federal commissioner and the provincial privacy commissioners of Alberta, British Columbia and Quebec also highlights the absence of Canada’s largest province from this mix. Ontario has recently consulted on whether it should enact its own private sector data protection law. If Ontario wishes to be part of the cooperative approach to shaping Canadian law in this area, it will need to do so.
4. If Clearview AI Contests Any Orders, the Commissioners’ Common Front Could Erode
Now that the commissioners’ findings are out, the common approach may begin to crumble. The provincial commissioners have order-making powers under their legislation and can order Clearview to comply with their laws. These orders are subject to judicial review, but some deference is owed to commissioners in such proceedings. By contrast, the federal commissioner has no order-making powers and must go to the Federal Court for an order against Clearview. Proceedings before the Federal Court are an entirely new hearing, not a review of the findings. It is possible that the commissioners’ common front will erode if Clearview contests any orders (which it is likely to do), and if the several courts that might ultimately hear such challenges see things differently from the commissioners or each other.
5. Bill C-11’s Promised Enforcement Boost Could Fall Short
Bill C-11, the bill to reform PIPEDA that is currently before Parliament, promises enhanced enforcement, including order-making powers for the privacy commissioner. However, under Bill C-11, the commissioner’s findings and orders can be appealed to a new “Privacy and Data Protection Tribunal,” which will owe no deference on questions of law. Further, although the bill contains long-promised tougher enforcement in the form of substantial penalties for egregious contraventions of the law, these penalties are only available for the breach of specific listed provisions. Provisions relating to the massive harvesting of data without consent in order to create a giant facial recognition database are not on the list.