Facial Recognition Company Clearview AI Provides a Useful Case Study for the Right to be Forgotten in Canada
Why don’t Canadians have the same privacy options with Clearview AI as residents from other jurisdictions? Ultimately, it comes down to the explicit legal protections provided by Canadian privacy law.
Clearview AI, the company famous for providing facial recognition software to law enforcement agencies, was founded three years ago in New York City. Relatively little was known about the company until quite recently when the New York Times published the article “Meet Clearview AI, the secretive company that might end privacy as we know it.” In the weeks following the article’s release, Clearview was met with mass media coverage and public attention, sparking investigations by data security and privacy authorities across North America, including a joint investigation by Canada’s federal and provincial privacy commissioners. Recently, tech companies like IBM, Amazon, and Microsoft, have announced that going forward, they will limit the supply of intelligent surveillance tech to police.
From a user perspective, the premise of Clearview AI is simple: a single photo of someone provides you access to an entire database of publicly available images of that person, with links to where they appear online. On the backend, Clearview maintains a growing database of more than 3 billion images, scraped from “millions of websites,” including Twitter, Facebook, and YouTube. These photos have been used by law enforcement agencies to help identify potential victims and criminals.
According to Clearview, the software is used by more than 600 law enforcement agencies — some located in Canada. The CBC recently reported that the RCMP, Toronto, and Calgary police have all publicly acknowledged using the software, and interestingly, the front page of Clearview’s website showcases reviews by an unnamed Canadian Detective. These reports may partly explain why, out of any country in the world, Canada has logged the highest number of Clearview-AI Google searches (see below).
In June, following several months of relative silence, Clearview AI resurfaced in Canadian media. CBC reported that Canadians — unlike individuals from other jurisdictions (California, the UK, and the EU, for example) — can’t get their images deleted from Clearview’s software. Instead, Canadians can only request to “opt out” of the software, meaning they can have their images deindexed from its search. The Clearview website states that some individuals can request to have their personal information deleted, depending on their respective legal jurisdiction. For example, the website provides data deletion forms for residents of California, Illinois, the European Union, United Kingdom, and Switzerland.
Why don’t Canadians have the same privacy options as residents of other jurisdictions? Ultimately, it comes down to the explicit legal protections provided by Canadian privacy law.
European residents have had a basic “right to erasure” or “right to be forgotten” since 2014, reiterated in 2018 under Article 17 of the GDPR. Article 17 grants European data subjects an explicit right to be forgotten and clarifies specific timelines and processes by which this right should be met. Similarly, the California Consumer Privacy Act (CCPA) signed into law in 2018, grants residents of California the right to have their personal information deleted by businesses upon their request.
So, what about Canada? In February 2018, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) recommended that the Government of Canada amend Canada’s private sector privacy law to include “a framework for a right to erasure based on the model developed by the European Union.” The Office of the Privacy Commissioner of Canada (OPC) released a position paper on deindexing and takedown that same year. The OPC argued that, due to existing requirements for data accuracy, some components of the right to erasure were already present in Canadian privacy law. Although, a number of high-profile Canadian lawyers have since disagreed with this claim.
One important caveat of the right to erasure is that, unrestricted, it has potential to be used by bad actors and authoritarian governments to limit journalism and free speech. The GDPR (in Europe) contains several measures that are purposefully designed to balance the right to erasure with freedom of expression, freedom of information, and journalistic and public interests. Critically, a 2019 ruling by the EU’s highest court found that some aspects of the right to erasure could only be enforced within the legal jurisdiction of the EU. In the context of search engines that delist publicly available information from third party websites, for example, an EU resident’s right to erasure would not outweigh global interests regarding freedom of information. Alongside the Charter of Rights and Freedoms, such purposefully designed mechanisms would be important caveats to any right to erasure in Canada as well.
The federal government responded to the ETHI committee’s recommendations in December 2019 with the Minister of Innovation, Science, and Industry’s mandate letter. The letter described a new set of online rights for Canadians, including “the ability to withdraw, remove and erase basic personal data from a platform.” Today, however, no right to erasure exists.
In response to Clearview, the Privacy Commissioner of Ontario argued that residents of Ontario — like residents of the EU and California — should be able to delete their information from Clearview’s software; after all, they didn’t consent to Clearview using their images for the purpose of facial recognition. Unfortunately, consent isn’t always the most effective tool for protecting personal information that is publicly available. There are ambiguities in Canadian privacy law, and the current definition for publicly available information may not provide enough clarity for businesses and individuals to understand how personal information in the public domain should be protected.
Ultimately, the explicit rights to erasure and deletion afforded by the GDPR and CCPA are not matched in Canadian privacy law due to its ambiguities. The success of the GDPR and CCPA in protecting residents of the EU and California, compared with Canadians’ inability to delete their images from Clearview’s software further clarifies the importance of establishing a right to be forgotten in Canada.
