The use of facial recognition technology is now widespread across many industries as evolving technology facilitates its ready adoption.
However, the Office of the Australian Information Commissioner (OAIC) has put organisations on notice that they must ensure biometric information is not collected unlawfully or unnecessarily through the use of this technology. Further, all such information is required to be stored and used in a manner that is consistent with the requirements of the Privacy Act and general expectations of privacy.
Recent OAIC determination on the use of facial recognition technology
The OAIC recently determined that facial recognition software company, Clearview AI, breached the Privacy Act in several respects, including by collecting sensitive information without consent and by unfair means. The OAIC ordered the company to stop collecting information on Australians and to delete any information it has already collected.
The determination followed a joint investigation with the UK Information Commissioner's Office (ICO) into Clearview AI. However, the ICO is still considering its next steps and any formal regulatory action that may be taken under the UK’s data protection laws.
Clearview AI’s facial recognition system includes a database of more than three billion images taken from social media platforms and other publicly available websites. The system is offered to law enforcement agencies around the world and allows users to upload a photo of an individual’s face and locate other facial images of that person collected from the internet. It then links to where the photos appeared for identification purposes. Clearview AI provided trials of its product to Commonwealth and State law enforcement agencies in Australia in 2019 and 2020 and the OAIC's investigation into the Australian Federal Police's trial use of the technology, is still being finalised. The OAIC does not have jurisdiction to investigate State law enforcement agencies.
The decision follows another recent determination in which the Commissioner also found that the use of facial recognition technology did not meet the requirements of the Privacy Act to obtain consent to collect sensitive information.
Best practice for obtaining consent
The OAIC has provided helpful guidance on ensuring that consent is validly obtained when gathering sensitive personal information. According to the OAIC, entities should not generally rely on implied consent when collecting sensitive information.
However, if consent were to be implied, there are steps entities can take to meet best practice:
- consent should not be ambiguous: any communication about the information should clearly set out exactly what information is being collected. Compound sentences and vague statements should be avoided, e.g. 'by entering the store you consent to facial recognition cameras capturing and storing your image' was considered unclear, as the statement could be interpreted to mean that the store's CCTV system was equipped with facial recognition;
- information should be provided in the vicinity of the collection point, and as part of the process of collecting the information, e.g. if customers are filling out a survey, there should be a section or screen in the survey that explains exactly what information is being collected;
- communications should be current and specific: a general blanket statement or policy should not be relied upon; and
- bundling requests for consent may undermine the validity of consent as customers are not able to choose which collections they agreed to.
Generally, if an entity wishes to collect sensitive information, the request for consent should:
- clearly identify the information to be collected; the recipients; and the purpose of collection;
- be sought expressly and separately from a privacy policy, concurrently with the collection; and
- be fully informed and freely given.
How the Privacy Act may affect your business
New technologies are making it easier than ever to gather, store and analyse vast amounts of data. While this may make it effortless (and tempting) for organisations to collect information without duly informing customers and stakeholders that they are doing so, or even to collect it 'just in case', organisations risk unwanted attention by the OAIC (and potentially other regulators, such as the Australian Competition and Consumer Commission) should they adopt such practices.