Facial-recognition company Clearview AI Inc., under regulatory and legal scrutiny in Europe, North America and Australia, is having to increasingly tailor its business to regional privacy laws. And much of the attention trained on it may hinge on the varying laws governing the use of web-scraped photos on which biometric profiles are built.
The data protection authority in Hamburg, Germany, for instance, last week issued a preliminary order saying New York-based Clearview must delete biometric data related to Matthias Marx, a 32-year-old doctoral student. The regulator ordered the company to delete biometric hashes, or bits of code, used to identify photos of Mr. Marx’s face, and gave it till Feb. 12 to comply. Not all photos, however, are considered sensitive biometric data under the European Union’s 2018 General Data Protection Regulation.
The action in Germany is only one of many investigations, lawsuits and regulatory reprimands that Clearview is facing in jurisdictions around the world. On Wednesday, Canadian privacy authorities called the company’s practices a form of “mass identification and surveillance” that violated the country’s privacy laws. Clearview said its technology is no longer available in Canada and that it would remove any data on Canadian citizens upon request.
Johannes Caspar, head of Hamburg’s data protection authority, shown here in 2016.
Photo: Lukas Schulze/DPA/Zuma Press
Clearview draws on a database of about 3 billion photos it scraped from the internet, allowing it to search for matches using facial-recognition algorithms. Some law enforcement agencies use its technology to find perpetrators and witnesses, including an Alabama police department that said it found suspects in the Jan. 6 riot at the U.S. Capitol.
Biometric data is defined in the GDPR as information, such as a fingerprint or facial-recognition scan, that can identify a person—though a person’s photo isn’t automatically considered biometric, said Els Kindt, a researcher and associate professor in data protection law at the university KU Leuven in Belgium and Leiden University in the Netherlands. That definition is too narrow, she said, because a photo, too, can verify someone’s identity.
Good facial-recognition algorithms would recognize Mr. Marx’s face, even if it changed or was partially covered, he noted. “I can’t change my biometric data,” he said.
Mr. Marx filed his complaint last February after Clearview confirmed to him that his images were in their database. The database contains pictures of him available online from local media reports, he said.
The Hamburg regulator said the GDPR applied to Clearview’s collection of Mr. Marx’s data because some of the images and accompanying texts identified him as a student. That qualifies as a behavioral trait covered under the privacy law.
“As of March 2020, Clearview AI has discontinued the few trial accounts for law enforcement in the EU. It never had any contracts with any customers in the EU, and is not currently available in the EU,” Clearview’s Chief Executive Hoan Ton-That said in an emailed statement. “We look forward to working with the Hamburg [data protection authority], and are in the process of complying with their request.” He added that the company deletes data on people in the EU who request it.
Johannes Caspar, Hamburg’s data protection chief, said his office is considering whether the photos of Mr. Marx qualify as biometric data and might therefore be considered sensitive information under the GDPR.
Mr. Caspar’s preliminary order on Mr. Marx’s data did not extend to all Europeans, and the regulator has wondered if it should. Had he issued a broad ruling that applied beyond Mr. Marx to all EU residents’ data, it could have been challenged, he said. But there is still a case for a wider order, he added.
“When every photo posted to a social network or published on an employer’s website is subject to undiscriminated and unconsented biometric processing, lots of so far isolated dots can be easily connected and rich profiles of persons can be built,” he said in an email.
Privacy watchdogs are also looking at how Clearview moves data between countries. Since the company is located outside the EU, transferring Europeans’ data to the U.S. would violate rules on moving personal data outside the bloc without appropriate privacy safeguards, the chairwoman of the umbrella group of European privacy regulators wrote last June.
It could be difficult for Clearview AI to remove images from people in a certain jurisdiction, Daniel Therrien, Canada’s privacy commissioner, told reporters Wednesday.
“They’re collecting so much information and images. They don’t know whether these images relate to Canadians, Americans or people from other nationalities,” he said. A Clearview spokeswoman didn’t respond to a question on Mr. Therrien’s comment.
Daniel Therrien, Canada’s privacy commissioner, shown in 2019.
Photo: chris wattie/Reuters
Sweden’s regulator will soon finish an investigation into the Swedish police’s use of Clearview from 2019 until March 2020, said Elena Mazzotti Pallard, a legal adviser at the regulator’s office. The case focuses on domestic law enforcement authorities, and not on the company, she said.
Last July, U.K. and Australian privacy authorities began a joint investigation into Clearview, saying they would focus on the company’s use of biometric data and data scraped from the internet. Representatives for the regulators declined to comment.
Last May, the American Civil Liberties Union filed suit against Clearview AI under Illinois’s Biometric Information Privacy Act, which requires companies to obtain individuals’ consent to collect scans of face geometry, or “faceprints,” as well as fingerprints and iris scans. Like GDPR, the Illinois law doesn’t cover photos.
The ACLU wants Clearview to delete the faceprints of Illinois residents that were collected without consent. A hearing is scheduled for April.
Write to Catherine Stupp at [email protected]
This post first appeared on wsj.com
